Boot Process Overview

CentOS 6 Boot Sequence

1. Power-On Self Test (POST)

• Hardware validation and diagnostics

2. MBR Boot Sector

• Reads boot loader from disk Master Boot Record

3. GRUB Menu

• Select kernel version or enter single-user mode for password recovery

4. Kernel Image Loading

• Loads kernel into memory for hardware control

5. First Process: init (sequential)

• init process spawns services sequentially: network, SSH daemon

6. Runlevel Configuration

• Reads /etc/inittab for default runlevel

7. Initialization Scripts Execution

• Sets hostname and network interface configuration

8. Service Scripts

• Starts system services based on runlevel

9. Display Manager

• Launches mingetty for login prompt

CentOS 7 Boot Sequence

1. Power-On Self Test

• Hardware validation

2. MBR Boot Sector

• Reads boot loader from disk

3. GRUB Menu

• Kernel selection or recovery mode

4. Kernel Image Loading

• Initializes kernel modules

5. First Process: systemd (parallel)

• Services start concurrently

6. Default Target

• Reads /etc/systemd/system/default.target

7. System Initialization

• Reads /usr/lib/systemd/system/sysinit.target

8. Service Auto-enablement

• Loads /etc/systemd/system for automatic service startup

9. Display Manager

• Shows login prompt via mingetty

---

Permission Management

File Permission Basics

chmod u+r/w/x u-r/w/x u=rw
chmod g+r/w/x g-r/w/x g=rw
chmod o+r/w/x o-r/w/x o=rw

File Permission Flags:

• r: Read file contents
• w: Modify file contents
• x: Execute file (scripts or binaries)

Key Principles:

1. root retains absolute control - with execute permission, root can acccess any file
2. Write and execute permissions on files require read permission
3. All file operations require read permission

Directory Permission Basics

Directory Permission Flags:

• r: List directory contents and attributes
• w: Create, rename, or delete files within directory
• x: Enter (cd into) directory

Key Principles:

1. root maintains absolute control over directories
2. Write and read operations on directories require execute permission
3. Directory navigation requires execute permission

---

User Skeleton Files

When creating a new user, the home directory populates from /etc/skel:

-rw-r--r--.  1 root root   18 Apr 11  2018 .bash_logout   # Commands executed on logout
-rw-r--r--.  1 root root  193 Apr 11  2018 .bash_profile  # User-specific environment variables
-rw-r--r--.  1 root root  231 Apr 11  2018 .bashrc        # User-specific aliases and functions

---

System Files for User Management

/etc/passwd Structure

username:password:uid:gid:comment:home_dir:shell

Fields breakdown:

1. Username
2. Password placeholder (x indicates password stored in /etc/shadow)
3. User ID (UID)
4. Group ID (GID)
5. Comment/Description (e.g., service accounts like mysql, www)
6. Home directory path
7. Login shell
   • /bin/bash - standard bash shell
   • /usr/bin/sh - POSIX shell
   • /sbin/nologin - restricted access

Related Files

• /etc/shadow - encrypted password storage
• /etc/group - group membership information
• /etc/gshadow - group password information

---

User Management Commands

useradd Command Options

useradd [options] username

Common options:

• -M: No home directory created
• -s: Specify login shell
• -c: Add comment/description
• -g: Specify primary group
• -G: Specify supplementary groups
• -u: Specify user ID

Creating System Users

# Create service account without login access
[root@server ~]# useradd appuser01 -M -s /sbin/nologin
[root@server ~]# id appuser01
uid=1067(appuser01) gid=1067(appuser01) groups=1067(appuser01)
[root@server ~]# grep appuser01 /etc/passwd
appuser01:x:1067:1067::/home/appuser01:/sbin/nologin

User Creation Examples

# Specify custom UID
[root@server ~]# useradd devuser01 -u 2000
[root@server ~]# id devuser01
uid=2000(devuser01) gid=2000(devuser01) groups=2000(devuser01)

# Assign to primary group
[root@server ~]# useradd devuser02 -u 2001 -g devgroup01
[root@server ~]# id devuser02
uid=2001(devuser02) gid=1068(devgroup01) groups=1068(devgroup01)

# Add to multiple groups
[root@server ~]# useradd devuser03 -u 2002 -g devgroup01 -G devgroup02
[root@server ~]# id devuser03
uid=2002(devuser03) gid=1068(devgroup01) groups=1068(devgroup01),2000(devgroup02)

# Create service account with description
[root@server ~]# useradd db_service -s /sbin/nologin -M -c "Database Service Account"
[root@server ~]# grep db_service /etc/passwd
db_service:x:2005:2005:Database Service Account:/home/db_service:/sbin/nologin

usermod Command Options

usermod [options] username

Options:

• -s: Change login shell
• -g: Change primary group
• -G: Change supplementary groups
• -c: Modify comment

Examples

# Disable shell access
[root@server ~]# usermod appuser02 -s /sbin/nologin
[root@server ~]# grep appuser02 /etc/passwd
appuser02:x:1068:1068::/home/appuser02:/sbin/nologin

# Change UID
[root@server ~]# usermod appuser02 -u 3000
[root@server ~]# id appuser02
uid=3000(appuser02) gid=1068(appuser02) groups=1068(appuser02)

userdel Command

# Remove user and home directory
userdel -r username

[root@server ~]# userdel -r appuser03
[root@server ~]# ll /home/appuser03 -d
ls: cannot access /home/appuser03: No such file or directory

Group Management

# Create group
[root@server ~]# groupadd developers
[root@server ~]# useradd devlead -g developers
[root@server ~]# id devlead
uid=3003(devlead) gid=3003(developers) groups=3003(developers)

Additional commands:

• groupmod: Modify group properties
• groupdel: Remove group

---

Privilege Escalation with sudo

Granting elevated privileges to regular users:

Basic Configuration

visudo

Validate configuraton:

visudo -c

Authorization Methods

1. Grant specific commands:

username ALL=/usr/sbin/useradd, /usr/bin/rm

2. Grant command directories (excluding dangerous commands):

username ALL=/usr/sbin/*, !/usr/sbin/visudo, /usr/bin/*

3. Passwordless execution:

username ALL=(ALL) NOPASSWD: /usr/sbin/*, !/usr/sbin/visudo, /usr/bin/*

Verifying Assigned Permissions

sudo -l

Testing Privileges

[regularuser@server ~]$ sudo useradd testuser01
useradd: user 'testuser01' already exists
[regularuser@server ~]$ sudo useradd testuser02
[regularuser@server ~]$ sudo rm -f /etc/hosts

---

Special Permission Bits

Standard Unix permissions use 9 bits (owner-group-others). Linux extends this with 3 additional special bits.

setuid (4)

Allows users to execute a file with the file owner's privileges.

# Set setuid bit
chmod u+s filename
chmod 4755 filename

The 's' appears in owner's execute position.

setgid (2)

Enables execution with the file's group privileges.

# Set setgid bit
chmod g+s filename
chmod 2755 filename

The 's' apears in group's execute position.

sticky bit (1)

Primarily used for shared directories. Users can create files but only delete their own files.

# Set sticky bit
chmod o+t shared_directory
chmod 1777 shared_directory

System-provided shared directory:

ll -d /tmp/

---

File Protection Attributes

Making Files Immutable

Prevent modification even by root:

# Add immutable attribute
chattr +i protected.txt
lsattr protected.txt

Attempting modification displays warning.

Verification

# Check attributes
lsattr protected.txt

Removing Protection

# Remove immutable attribute
chattr -i protected.txt
lsattr protected.txt