DEV Community: Francis Ndung'u

List Processes Attached to a Shared Memory Segment in Linux

Francis Ndung'u — Mon, 15 May 2023 07:56:15 +0000

*1. Overview
*

In Linux, a shared memory segment is part of the memory that two or more processes can share. It’s a mechanism meant to facilitate the communication and sharing of data between processes. However, monitoring these processes attached to the shared memory segment can be demanding for beginners.

In this tutorial, we’ll discuss an option that we can use to list these processes. First, we’ll look at the ipcs command and then follow this up with the pstree command.

*2. List Processes Attached to a Shared Memory Segment
*

First, let’s start by taking a look at all the shared memory segments in our system:

$ ipcs -m
------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status      
0x00000000 6          francis      600        524288     2          dest

From the example above, we’re using the ipcs command to display the shared memory segments. In detail, the ipcs command is a utility for displaying information on inter-process communication (IPC) mechanisms. Also, we add the -m option to filter the output to only show information about the shared memory segments available.

So, we can see that there’s only one segment in our system. Further, from the visible column names, we have to note the shared memory segment identifier (shmid) value which acts as the process identifier for the shared memory segment. This is because, for us to list the processes attached to a shared memory segment, we have to first determine the process ID of this shared memory segment that we’re interested in.

Secondly, we can view information specific to a shared memory segment of our choosing:

$ ipcs -m -i 6
Shared memory Segment shmid=6
uid=1000    gid=1000    cuid=1000   cgid=1000
mode=01600  access_perms=0600
bytes=524288    lpid=4766   cpid=1574   nattch=2
att_time=Sun Jan 29 15:40:28 2023  
det_time=Sun Jan 29 15:40:28 2023  
change_time=Sun Jan 29 15:25:30 2023

Above, we’re displaying detailed information about the shared memory segment whose identifier is 6.

Next, we’re going to use the pstree command with shmid to list the attached processes:

$ pstree -p 6
rcu_par_gp(6)

The pstree command lists the processes attached to this shared memory segment in a tree-like structure. This command shows the relationship between processes by presenting the hierarchy of parent processes with their child processes. Additionally, we use the -p option to instruct pstree to include process identifiers (PIDs) in the output.

*3. Conclusion
*

In this tutorial, we’ve learned that shared memory is an important feature for processes to share data. Also, by using the ipcs command we get to view the shared memory segments in our system. Additionally, by utilizing the pstree command we get to list processes generated from the shared memory segment using its identifier (shmid)

Closing a Specific Port From the Linux Command Line

Francis Ndung'u — Tue, 09 May 2023 12:50:47 +0000

*1. Overview
*

In Linux, ports facilitate the communication of services over a network. The Linux services that accept incoming traffic (such as a web server) will listen for connections on a specific port. This port must be exposed in order for the service to receive the incoming connections.

However, there are times when we might be forced to close a specific port. For example, a service might be vulnerable due to poor configuration. As a result, attackers could take advantage of this compromise to exploit this service using its associated port. This is possible since most services usually have predefined ports they listen on – like SSH with port 22, HTTP with port 80, and many others. Therefore, it’s important we understand how to close an open port for security reasons.

So, to solve this issue, there is the option to block all ports by default and then open the specific port we’re interested in. However, we’ll take a different approach. In this tutorial, we’ll discuss how we can close a specific port from the Linux command line.

*2. Displaying All Active Ports in Linux
*

First, let’s display all the active ports on our system. We’ll use the ss command, which is useful for displaying information about the sockets on our system:

$ sudo ss -tulpn | grep LISTEN
tcp   LISTEN 0      4096   127.0.0.53%lo:53         0.0.0.0:*    users:(("systemd-resolve",pid=767,fd=14))
tcp   LISTEN 0      128        127.0.0.1:631        0.0.0.0:*    users:(("cupsd",pid=931,fd=8))
tcp   LISTEN 0      511             [::]:80            [::]:*    users:(("nginx",pid=58147,fd=7),("nginx",pid=58146,fd=7),("nginx",pid=58145,fd=7),("nginx",pid=58144,fd=7),("nginx",pid=58143,fd=7))
tcp   LISTEN 0      50                 *:1716             *:*    users:(("kdeconnectd",pid=1869,fd=21))
tcp   LISTEN 0      128            [::1]:631           [::]:*    users:(("cupsd",pid=931,fd=7))

In the example above, we’re using the ss command with a number of options:

-t – show all the TCP ports
-u – present all the UDP ports
-l – display listening ports
-p – provide a service name and process ID (PID)
-n – no use of DNS

These options provide the ss command with the additional instructions needed to help customize the output.

Now, let’s see how we can use this output in the closing of a specific port.

*3. Closing a Specific Port With the systemctl Command
*

In this section, we’ll work with the systemctl command, which comes preinstalled in Linux.

The systemctl command provides an abstraction that allows system administrators to easily manage services. This means that we can use systemctl to start and stop services on our system. When we prevent a service from running, the port it was listening on is also closed.

Now, let’s work on closing port 80, which is currently open as per the output in the previous section. This means that we need to stop the Nginx service:

$ sudo systemctl stop nginx

Here, we’ve been able to terminate the Nginx service. However, this service will start again as soon as the system boots. Therefore, we need to make sure that this service remains disabled:

$ sudo systemctl disable nginx
...
Executing: /lib/systemd/systemd-sysv-install disable nginx
Removed /etc/systemd/system/multi-user.target.wants/nginx.service.

In the example above, we ensure that when we stop the Nginx service, it can’t start automatically after the system boot.

*4. Conclusion
*

In this article, we discussed how to use the ss command to show active ports in Linux. Then, we used this output to select a specific port to work with. As a result, we were able to close that specific port with the help of the systemctl command.

Restrict a User to One Directory in linux

Francis Ndung'u — Fri, 28 Apr 2023 09:43:11 +0000

1. Overview

Linux allows more than one user at a time to access a machine’s resources. As a system administrator, it’s important to understand the different techniques that are helpful in managing these users. One of these methods is restricting a user to a single directory, which helps improve the security of our system. For instance, we’re able to prevent certain users from accessing sensitive files, so that the users can’t accidentally delete them.

In this tutorial, we’ll discuss a useful method for restricting a user to a single directory. First, we’ll explore the concept of Linux shells. Next, we’ll understand what a restricted shell is. Finally, we’ll dive into setting up a restricted shell for an existing user and also for a new user upon creation.

2. Using a Restricted Shell

The Linux shell acts as the interface between the user and the operating system. To put it differently, it’s the command line interpreter that sends our instructions to the operating system.

There are different types of shells like Bash, sh, etc., and we can use any of them in the restricted shell mode. This means that the shell will have more restrictions than its original state. In this case, we’ll use Bash to demonstrate how it works.

2.1. A Restricted Shell for an Existing User

First, let’s change the shell for an existing user francis to a restricted Bash shell:

$ sudo usermod -s /bin/rbash francis

Here, we use usermod, a command that allows an administrator to modify the properties of a user in Linux. Further, we add the -s option to instruct usermod to change the default shell for the user francis from Bash to a restricted Bash shell (rbash).

Next, we create the directory that francis will be restricted to:

$ sudo mkdir -p /home/francis/restricted

In the example above, we’ve used the mkdir command to create a directory named restricted. We notice that there are two parent directories defined, namely, home and francis respectively. To ensure these directories are also created in the process, we include the -p option.

Further, we’ll change the home directory for francis to the restricted directory:

$ sudo usermod -d /home/francis/restricted francis

Now francis can only access this directory and its child directories after logging in. The -d option instructs usermod that we’re modifying the home directory property for the user.

2.2. A Restricted Shell for a New User

In this scenario, we’re creating a new user and configuring for them a restricted shell upon creation. To achieve this, we’ll work with the useradd command:

$ sudo useradd jeff -s /bin/rbash

The useradd command helps add a new user jeff to our system while the -s option allows us to define the default shell as the restricted Bash shell (rbash).

Next, let’s define the password for jeff with the help of the passwd command:

$ sudo passwd jeff

The passwd command allows us to set the password for our user.

Now, we create the directory that jeff will be confined to:

$ sudo mkdir -p /home/jeff/restricted

Here, we’re able to create all the directories defined in the path.

Finally, we set the home directory for our user to the directory we created above:

$ sudo usermod -d /home/jeff/restricted jeff

So, the user jeff can only operate within the confines of the restricted directory.

3. Conclusion

In this article, we explored what a restricted shell is and how to set it up for an existing user and a new user.

We also discussed the concept of a standard Linux shell. As a result, we were able to understand some commands useful for managing users as well as their information. Now, we’re able to restrict a user to one directory.