🐧 Linux — The Foundation for Every Developer

🚀 Learn Linux the Right Way — Practical, In-Depth & RHCSA-Focused

Master Linux from the ground up — from basic commands and system navigation to advanced administration, networking, automation, and security.
These tutorials are designed for real-world learning and complete RHCSA exam preparation.

Introduction to Linux

Linux is a free, open-source operating system that powers everything from mobile devices to servers and supercomputers. It provides a stable, secure, and efficient platform for both personal and enterprise use.

Why Learn Linux?

It’s the backbone of cloud, DevOps, and server administration.
Used by major companies — Google, Amazon, Red Hat, IBM, and more.
Essential for certifications like RHCSA, RHCE, and LFCS.

Key Features

Multi-user and multi-tasking support
Open-source and customizable
Secure and stable
Community-driven development

💡 Pro Tip: Learning Linux gives you the foundation for working with any modern technology stack — from development to deployment.

Linux Architecture Overview

The Linux operating system is structured in layers, each with a specific role in how it operates.
Hardware ⮕ Kernel ⮕ System Libraries ⮕ Utilities ⮕ User Space Here’s a simplified breakdown of its main components:

Layer	Description
Hardware	The physical components — CPU, memory, disks, and devices.
Kernel	The brain of Linux — manages hardware, memory, and processes.
System Libraries	Provide functions that interact with the kernel (e.g., glibc).
System Utilities	Core tools for managing files, processes, and users.
User Space	Where applications and user commands run.

💡 Pro Tip: The kernel is like a bridge between your hardware and software, it ensures they talk efficiently.

Linux Distributions

Below are some of the most popular Linux distributions widely used across different environments:

Ubuntu — Beginner-friendly and ideal for newcomers, developers, and desktop users.
Fedora — Known for its cutting-edge features and frequent updates.
CentOS Stream — A rolling-release model that tracks just ahead of RHEL.
RHEL (Red Hat Enterprise Linux) — Enterprise-grade, stable, and widely adopted in production environments; essential for RHCSA/RHCE certifications.
AlmaLinux — A free, open-source, 1:1 binary-compatible alternative to RHEL, popular after CentOS transitioned to Stream.
Debian — Renowned for its stability, strong community support, and long-term reliability.

💡 Pro Tip: If you’re preparing for RHCSA, focus on RHEL or AlmaLinux, since both share the same commands, structure, and package management system

Accessing the Command Line in Linux

Bash Shell

The Bash (Bourne Again Shell) is the default command-line interface in most Linux systems, used to execute commands, run scripts, and automate administrative tasks.

[user@host ~]$ → Shell Prompt

[user@host ~]# → Superuser Shell Prompt

Login using SSH

SSH (Secure Shell) is a protocol used to securely connect to a remote Linux system over a network. It encrypts all communication, protecting passwords and commands from eavesdropping.

ssh username@remotehost

- username → the user account on the remote system
- remotehost → the hostname or IP address of the remote system

For added security, you can use SSH keys instead of passwords (Click here for more details on SSH Keys):

ssh -i /path/to/private_key username@remotehost

- -i /path/to/private_key → specifies your private key file
- The matching public key must be added to the remote user’s ~/.ssh/authorized_keys

Host Verification

The first time you connect to a remote host, SSH may prompt:

The authenticity of host 'remotehost (IP)' can't be established. Are you sure you want to continue connecting (yes/no)?

- Enter yes to accept the host key and save it for future connections.

Security Tip

Never share your private key.
Use chmod 600 mykey.pem to restrict access to your key file.

Logout

To safely end your session, type:
exit
or press Ctrl + D.

💡 Pro Tip: Using SSH keys is highly recommended for servers and cloud instances, especially for RHCSA exam practice and real-world setups.

Basic Linux commands and Shortcuts

This section introduces some of the most commonly used Linux commands and Bash shortcuts that every user should know.

Common Commands

whoami → Displays the current logged-in username
command1; command2 → Executes multiple commands sequentially
date → Displays the current date and time
date +%R → Displays the time in HH:MM format (+%R is a string formatter)
date +%x → Displays the current date in MM/DD/YYYY format (+%x is a string formatter)
passwd → Changes or sets the user’s password
file <file_name>/<directory_name> → Determines and displays the type of file or directory

Viewing File Contents

cat <file_name> → Displays the content of a file
cat <file_name1> <file_name2> → Displays the contents of multiple files sequentially
less <file_name> → Views long files page by page (use ↑ / ↓ keys to scroll, and Q to exit)
head <file_name> → By default, displays the first 10 lines of a file
head -n 15 <file_name> → Displays the first 15 lines of a file. The number 15 can be replaced with any number
tail <file_name> → By default, displays the last 10 lines of a file
tail -n 20 <file_name> → Displays the last 20 lines of a file. The number 20 can be replaced with any number

Counting File Data

wc <file_name> → Counts lines, words, and characters in a file
wc -l <file_name> → Counts only the number of lines
wc -w <file_name> → Counts only the number of words
wc -c <file_name> → Counts only the number of characters

Command History and Continuation

history → Displays a list of previously executed commands
!ls → Repeats the most recent command starting with “ls”
!<number> → Executes the command corresponding to that number from the history (e.g., !25)

Command Continuation

When a command is too long to fit on one line, you can use a backslash (\) at the end of the line to continue typing on the next line.

This improves readability and organization in scripts or complex commands.

Always make sure there’s no space after the backslash, or the continuation won’t work.

- head -n 3 \
  > /usr/share/dict/words \
  > /usr/share/dict/linux.words

Other Useful Commands

man -k <keyword/command> → Searches the manual (man) pages for a given keyword or command
mkdir -p Thesis/Chapter1 Thesis/Chapter2 Thesis/Chapter3 → Creates multiple parent and subdirectories at once

Tab Completion

Tab completion helps you quickly complete commands or file names by pressing the Tab key.

- Press Tab once → Auto-completes if the command or file name is unique.
- Press Tab twice → Shows all possible matches.

Useful Command-line Editing Shortcuts

Shortcut	Description
Ctrl + A	Jump to the beginning of the command line.
Ctrl + E	Jump to the end of the command line.
Ctrl + U	Clear from the cursor to the beginning of the command line.
Ctrl + K	Clear from the cursor to the end of the command line.
Ctrl + ← (Left Arrow)	Jump to the beginning of the previous word on the command line.
Ctrl + → (Right Arrow)	Jump to the end of the next word on the command line.
Ctrl + R	Search the history list of commands for a matching pattern.

SSH Key-Based Authentication

SSH key-based authentication is a more secure and convenient way to log in to remote systems without using passwords.

Instead of typing your password each time, a pair of cryptographic keys (a public key and a private key) is used to establish trust between the client and the server.

The private key acts as your authentication credential and must be kept secret and secure, just like a password.
The public key is copied to the remote system you want to access and is used to verify the private key. It does not need to be confidential.

Generating SSH Keys

To create a private key and matching public key for authentication, use the ssh-keygen command.

[user@host ~]$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter

Enter passphrase (empty for no passphrase): Enter

Enter same passphrase again: Enter

Your identification has been saved in /home/user/.ssh/id_rsa.

Your public key has been saved in /home/user/.ssh/id_rsa.pub.

~/.ssh/id_rsa → Private key
~/.ssh/id_rsa.pub → Public key

If you set a passphrase, you’ll need to enter it when using the key. Else, anyone with your private key file could use it.
Example: Custom Key Name with Passphrase

[user@host ~]$ ssh-keygen -f ~/.ssh/key-with-pass

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in ~/.ssh/key-with-pass

Your public key has been saved in ~/.ssh/key-with-pass.pub

The -f option lets you specify a custom filename.
The example above creates a passphrase-protected key pair:
- ~/.ssh/key-with-pass → Private key
- ~/.ssh/key-with-pass.pub → Public key

Sharing the Public Key

The ssh-copy-id command copies the public key of the SSH keypair to the destination system.

ssh-copy-id -i .ssh/key-with-pass.pub user@remotehost → Copies the specified public key to the remote host.
ssh-copy-id user@remotehost → Copies the default public key (~/.ssh/id_rsa.pub) to the remote host.
ssh -i .ssh/key-with-pass user@remotehost → Uses the specified private key to connect.
ssh user@remotehost → Uses the default private key (~/.ssh/id_rsa) to connect.

SSH-agent

When using SSH keys protected with a passphrase, you normally need to enter it each time you connect.
To avoid this, you can use ssh-agent, which securely stores your private key’s passphrase in memory, allowing you to enter it only once per session.

eval "$(ssh-agent -s)" → Start the agent
ssh-add ~/.ssh/id_rsa → Add your key (enter passphrase once)
ssh user@remotehost → Login without re-entering it

💡 Pro Tips:

The permission modes must be 600 on the Private Key, 644 on the Public Key, and 600 for Authorized Keys

chmod 600 ~/.ssh/id_rsa → Private Key Permission
chmod 600 ~/.ssh/authorized_keys → Authorized Keys Permission
chmod 644~/.ssh/id_rsa.pub –> Public Key Permission

When you run the ssh-keygen command again without changing the filename of the existing keys, the old keys are overwritten with new ones. As a result:

The old public key previously shared with a server is no longer valid.
You will not be able to log in to that server using the new private key.
To fix this, you must copy the new public key again to the remote server using the ssh-copy-id command

Managing File Systems

On Linux, all files are organized in a single inverted tree called the file-system hierarchy, with / as the root directory.
Subdirectories like /etc and /boot help organize files by type and purpose.
Files and directories are referenced using / as a separator, e.g., /etc/issue refers to the issue file inside /etc.

Location	Purpose
/usr	Installed software, libraries, include files, and read-only program data. Important subdirs: /usr/bin (user commands), /usr/sbin (admin commands), /usr/local (local software).
/etc	System-specific configuration files.
/var	Variable data that persists across boots, e.g., databases, logs, cache, and website content.
/run	Runtime data for processes since last boot, including PID and lock files. Recreated on reboot.
/home	Home directories for regular users’ personal data and configs.
/root	Home directory for the administrative superuser, root.
/tmp	Temporary files. Auto-deleted if not used for 10 days. /var/tmp retains files for 30 days.
/boot	Files required for system boot.
/dev	Special device files used to access hardware.

Basic Linux Commands You Should Know

pwd → Prints current directory.
ls → Lists all files and directories in the current directory.

Note: All ls variations (-l, -la, -R) support specifying one or more directories, e.g., ls /etc /var.

- ls -l → Shows files in long listing format with details like permissions, owner, size, and modification date.
- ls -la → Lists all files including hidden files (those starting with .).
- ls -R → Recursively lists all files in the current directory and its subdirectories.
cd <directory_path> → Changes the current directory.
cd .. → Moves up one level to the parent directory.
cd - → Changes back to the previous directory.
touch <file_name> → Updates a file’s timestamp to the current date/time or creates an empty file if it doesn’t exist.

Command-line File Management

To manage files and directories effectively, you can use various commands to create, remove, copy, move, and organize them.

Creating Directories

mkdir <directory1> <directory2> → Creates one or more directories.
mkdir -p <directory1> <directory2> → Creates parent directories if they don’t already exist.
Example:
- mkdir Videos/Watched
- mkdir -p Thesis/Chapter1 Thesis/Chapter2 Thesis/Chapter3

Copying Files

cp <filename> <new-filename> → Copies a file and creates a duplicate with a new name.
cp -r <directory> <new-directory> → Copies an entire directory recursively (all files and subdirectories).
If the destination already exists, it will be overwritten.
Example:
- cp blockbuster1.ogg blockbuster3.ogg
- cp -r Thesis ProjectX

Moving Files

mv <filename> <new-filename> → Moves or renames a file.
mv <directory> <new-directory> → Moves or renames a directory.
Example:
- mv thesis_chapter2.txt thesis_chapter2_updated.txt
- mv Chapter1 Thesis/Chapter1_updated

Removing Files and Directories

rm <filename1> <filename2> → Removes one or more files.
rm -r <directory1> <directory2> → Removes directories and their contents recursively.
- Use -i for confirmation before each file.
- Use -f to force deletion without prompts.
rmdir <directory1> <directory2> → Removes empty directories.
Example:
- rm thesis_chapter2_updated.txt
- rm -rf Chapter1_updated
- rmdir Chapter1

Managing Links Between Files

It’s possible to create multiple names that point to the same file — through Hard Links and Soft (Symbolic) Links.

Hard Links

A Hard Link is another name that points directly to the same file data.
Even if the original file is deleted, its contents remain available through the hard link.
Hard links cannot be created for directories.
Hard links must be on the same file system.
ln newfile.txt /tmp/newfile-hlink2.txt → Command to create hard link
- ln → Command used to create a hard link
- newfile.txt → Original file
- /tmp/newfile-hlink2.txt → Hard link name
To verify both files point to the same data:
- [user@host ~]$ ls -il newfile.txt /tmp/newfile-hlink2.txt
  8924107 -rw-rw-r--. 2 user user 12 Mar 11 19:19 newfile.txt
  8924107 -rw-rw-r--. 2 user user 12 Mar 11 19:19 /tmp/newfile-hlink2.txt
- The same inode number confirms both are hard links to the same file.
When to use:
- You want multiple filenames for the same file on the same file system.
- You need backup-like access without extra storage.

Soft (Symbolic) Links

A Soft Link (also called a Symbolic Link) is a special type of file that points to another file or directory.
Can link files across different file systems.
Can link to directories or special files, not just regular files.
If the original file is deleted, the soft link remains but becomes a “dangling link” (A Soft link pointing to a missing file).
ln -s /home/user/newfile-link2.txt /tmp/newfile-symlink.txt → Command to create soft link
- ln -s → Command used to create a soft (symbolic) link
- /home/user/newfile-link2.txt → Original file
- /tmp/newfile-symlink.txt → Soft link name
When to use:
- You want a shortcut to another location.
- You’re linking across partitions or to a directory.
- You frequently manage system files, logs, or scripts from one place.

Command-Line Expansions

The Bash shell supports several kinds of expansions that simplify command-line operations. These include pattern matching (globbing), home directory expansion, string and variable expansion, and command substitution.

Pattern Matching (Globbing)

Globbing expands wildcard patterns into matching file or path names. These metacharacters help you perform operations on multiple files efficiently.

Pattern	Examples	Explanation
*	ls a* → matches able, alfa ls a → matches able, baker, charlie	Matches any string of zero or more characters.
?	ls ?.txt → matches a.txt, b.txt ls a? → matches ab, ax	Matches exactly one single character.
[abc…]	ls [ab]* → matches able, baker ls [ch]* → matches charlie, henry	Matches any one character from the specified set inside brackets.
[!abc…] or [^abc…]	ls [!a]* → matches everything except files starting with a ls [^b]* → matches all files not starting with b	Matches any one character not in the specified set.
[[:alpha:]]	ls [[:alpha:]]* → matches able, charlie ls *[[:alpha:]] → matches filea, testB	Matches alphabetic characters only (A–Z, a–z).
[[:lower:]]	ls [[:lower:]]* → matches able, baker ls *[[:lower:]] → matches filea, datax	Matches lowercase letters only.
[[:upper:]]	ls [[:upper:]]* → matches File1, Test ls *[[:upper:]] → matches fileA, dataX	Matches uppercase letters only.
[[:alnum:]]	ls [[:alnum:]]* → matches file1, test ls *[[:alnum:]] → matches data1, x9	Matches letters and digits (A–Z, a–z, 0–9).
[[:punct:]]	ls [[:punct:]]* → matches _file, -data ls [[:punct:]] → matches data-file, name_test	Matches punctuation or symbols, not spaces or alphanumeric characters.
[[:digit:]]	ls [[:digit:]]* → matches 1file, 2025.txt ls *[[:digit:]] → matches file1, log9	Matches digits only (0–9).
[[:space:]]	ls [[:space:]] → matches “my file.txt”, “test data.csv” ls *[[:space:]] → matches “data file”	Matches whitespace characters (space, tab, newline, etc.).

Tilde Expansion (`~`)

The tilde (~) represents the home directory of the current or specified user.
Example:
- [user@host home]$ ls ~root
  /root
- [user@host home]$ echo ~/home
  /home/user/home

Brace Expansion (`{}`)

Used to generate multiple strings in one command. Braces contain:
- A comma-separated list of strings, or
- A sequence expression using ...
Example:
- [user@host home]$ echo {Sunday,Monday,Tuesday,Wednesday}.log
  Sunday.log Monday.log Tuesday.log Wednesday.log
- [user@host home]$ echo file{1..3}.txt
  file1.txt file2.txt file3.txt
- [user@host home]$ echo file{a..c}.txt
  filea.txt fileb.txt filec.txt
- [user@host home]$ echo file{a,b}{1,2}.txt
  filea1.txt filea2.txt fileb1.txt fileb2.txt
- [user@host home]$ echo file{a{1,2},b,c}.txt
  filea1.txt filea2.txt fileb.txt filec.txt

Note: You can replace echo with other commands like mkdir, touch, cat, less, etc., to perform actions on multiple files or directories at once.

Variable Expansion (`$VARIABLE`)

Variables store values that can be expanded (substituted) in commands.
Syntax:
- VARIABLENAME=value
  echo $VARIABLENAME
Example:
- [user@host ~]$ USERNAME=operator
  [user@host ~]$ echo $USERNAME
  operator
- [user@host ~]$ echo ${USERNAME}
  operator

Command Substitution (`$(command)`)

Replaces a command with its output.
Example:
- [user@host glob]$ echo The time is $(date +%M) minutes past $(date +%l%p).
  The time is 26 minutes past 11AM.

Protecting Arguments from Expansion

To prevent unwanted shell expansions, you can use escaping or quoting.
Escaping: Use \ (backslash) to protect the next character from expansion
Example:
- [user@host glob]$ echo The value of \$HOME is your home directory.
  The value of $HOME is your home directory.
Quoting: Controls how the shell interprets special characters.
- Single Quotes ' ' → Prevents all expansions.
- Double Quotes " " → Prevents most expansions, but allows variable and command substitution.
Example:
- [user@host glob]$ myhost=$(hostname -s); echo $myhost
  host
- [user@host glob]$ echo "***** hostname is ${myhost} *****"
  ***** hostname is host *****
- [user@host glob]$ echo "Will variable $myhost evaluate to $(hostname -s)?"
  Will variable host evaluate to host?
- [user@host glob]$ echo 'Will variable $myhost evaluate to $(hostname -s)?'
  Will variable $myhost evaluate to $(hostname -s)?

Redirecting Output to a File or Program

You can send a command’s output to a file or another program instead of the terminal using redirection (>, >>) and pipelines (|). This helps save results or pass data seamlessly between commands.

Standard Input, Standard Output, and Standard Error

Every running program (process) interacts with three standard data streams called file descriptors:

File Descriptor	Name	Description
0	Standard Input (stdin)	Reads input (usually from the keyboard).
1	Standard Output (stdout)	Sends normal output to the terminal.
2	Standard Error (stderr)	Sends error messages to the terminal.

Redirection allows these streams to be sent to or read from files instead.

Redirecting Output to a File

I/O redirection changes how a process reads or writes data. Instead of showing output on the terminal, it can be saved to a file or discarded.

If the file doesn’t exist → it’s created.
If the file exists → it’s overwritten unless using >> (append).
To discard unwanted data, redirect it to /dev/null.

Operator / Command	Explanation	Example
`>`	Redirects stdout (normal output) to a file, overwriting any existing content.	`ls > files.txt`
`>>`	Redirects stdout and appends output to a file (does not overwrite).	`echo "done" >> log.txt`
`2>`	Redirects stderr (error messages) to a file, overwriting existing content.	`ls /root 2> errors.log`
`2>>`	Redirects stderr and appends to a file.	`ls /root 2>> errors.log`
`2> /dev/null`	Discards error messages completely.	`ls /root 2> /dev/null`
`> file 2>&1`	Redirects both stdout and stderr to the same file (overwrite mode).	`ls /root > all.log 2>&1`
`>> file 2>&1`	Redirects both stdout and stderr to the same file (append mode).	`ls /root >> all.log 2>&1`
`&> file`	Bash shortcut: redirects both stdout and stderr (overwrite mode).	`ls &> output.log`
`&>> file`	Bash shortcut: redirects both stdout and stderr (append mode).	`ls &>> output.log`
`< file`	Redirects stdin (input) from a file.	`sort < names.txt`

Constructing Pipelines

A pipeline is a sequence of one or more commands separated by the pipe symbol (|).

It connects the stdout of one command to the stdin of the next.

Itsend output from one process directly into another.

Example:

ls -t | head -n 10 > /tmp/ten-last-changed-files → List the 10 most recently modified files and save to a file.

tee combine redirection with a pipeline, it copies its stdin to both stdout and one or more files

Example:

ls -t | head -n 10 | tee /tmp/ten-last-changed-files → Save final pipeline output and also show it on screen.

💡 Pro Tip: The order matters when redirecting both output and errors. the correct order is first stdout and then stderr.

Editing Text Files

Vim is one of the most powerful and widely used text editors in Linux and UNIX systems. It’s fast, efficient, and ideal for editing configuration files directly from the terminal even on remote servers. Knowing Vim ensures you can manage files without a graphical interface, making it an essential skill for every Linux user.

Vim can be accessed in two ways:

vi filename → Lightweight version available with the vi command (core editing features only)
vim filename → Full version with advanced features, syntax highlighting, and help system.

Basic Vim Workflow

Open a file:
- vim filename
Press i to enter insert mode and start editing
Press Esc to return to command mode
Save your changes with :w or save and quit with :wq
Exit without saving using :q!
Display absolute line numbers :set number
Undo the last change with u
Delete a single character with x

Changing the Shell Environment

You can customize your shell environment by setting shell variables and environment variables. These variables can store values, simplify commands, and modify the behavior of the shell or programs run from it.

Shell Variables

Shell variables are local to a particular shell session.
Assign values using:
- VARIABLENAME=value
Example:
- COUNT=40
- first_name=John
Accessing variable values:
- echo $COUNT
- echo ${COUNT}x

Environment Variables

Environment variables are exported from the shell so programs can access them.
Export a variable:
- export EDITOR=vim
Common environment variables:
- PATH → directories searched for executable programs
- HOME → user’s home directory
- LANG → locale and language settings
Example:
- export PATH=${PATH}:/home/user/sbin
- export LANG=fr_FR.UTF-8

Automatic Variable Setup

To set variables automatically at shell startup, edit Bash startup scripts like ~/.bashrc:
- vim ~/.bashrc
- PATH="$HOME/.local/bin:$HOME/bin:$PATH"
  export PATH
  export EDITOR=vim

Unsetting and Unexporting Variables

Remove a variable entirely:
- unset PS1
Remove export without unsetting:
- export -n PS1

Managing Users and Groups

Users

A user represents an account on the system that can log in and access resources.
Each user has a unique username and a user ID (UID).
Users can have different levels of privileges:
- Root user (UID 0) → Superuser with full system control (UID 0).
- Regular users → Created for normal activities, with limited access.
- System User → Used for system processes and services (non-login accounts).
You can use the id command to show information about the currently logged-in user, also you can pass the username to the id command as an argument to information about another user
Example:
- [user01@host ~]$ id
  uid=1000(user01) gid=1000(user01) groups=1000(user01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
- [user01@host]$ id user02
  uid=1002(user02) gid=1001(user02) groups=1001(user02) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
All user account information are stored in /etc/passwd file, where each line represents one user, with fields separated by colons (:)
- username:password:UID:GID:GECOS:home_directory:shell → Syntax of /etc/passwd
- alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash → entry in /etc/passwd
getent passwd username → Displays user info from /etc/passwd.

Field	Description
`username`	Login name
`x`	Placeholder for password (actual passwords are stored in `/etc/shadow`)
`UID`	User ID number
`GID`	Primary group ID number
`GECOS`	User information (full name, contact, etc.)
`home_directory`	Path to the user’s home folder
`shell`	Default shell for the user (e.g., `/bin/bash`)

Groups

A group is a collection of users. Groups are used to manage permissions collectively.
Each group has a group name and a group ID (GID).
A user can belong to one primary group and multiple secondary groups.
implifies file permission management.
Allows multiple users to share access to files and directories without giving them full system access.
groups alice → Lists all groups user ‘alice’ belongs to
All group information are stored in /etc/group
file, where each line represents one group, with fields separated by colons (:)
- group_name:password:GID:user_list → Syntax of /etc/group
- devteam:x:1002:alice,bob,charlie → entry in /etc/group
getent group groupname → Displays group info from /etc/group.

Field	Description
`group_name`	Name of the group
`x`	Placeholder for group password (rarely used)
`GID`	Group ID number
`user_list`	Comma-separated list of users in this group

Superuser Access

The Superuser (Root) user has complete control over a Linux system — including files, users, and devices.
Normal users have limited access; for example, they can manage USB devices but cannot modify system files.
The root account is equivalent to the Administrator account in Windows.
For security reasons, it’s recommended not to log in directly as root. Instead, log in as a normal user and use commands like su or sudo when administrative privileges are needed.

Two common ways to start a root shell:
- sudo -i → Starts an interactive root shell with login scripts.
- sudo su - → Starts a full root login shell.
Both achieve similar results, but sudo -i is generally preferred in Red Hat systems.

Switching Users

The su (substitute user) command allows switching to another user account.
su - username → Syntax
Example:
- [user1@host ~]$ su - user2
  Password:
  [user2@host ~]$
- su - → switches to root

Running Commands with `sudo`

The sudo command allows a permitted user to run commands as another user (usually root).
Unlike su, it asks for the user’s own password, not the root password.
Example:
- [user01@host ~]$ sudo usermod -L user02
  [sudo] password for user01:
Every sudo action is recorded in /var/log/secure.

Configuring Sudo Access

The sudo command allows users to run commands with the privileges of another user, typically the root user. Proper configuration ensures secure and controlled administrative access.
The main configuration file for sudo is /etc/sudoers. Always edit with visudo to prevent syntax errors.
%wheel ALL=(ALL) ALL
- %wheel → applies to the wheel group.
- ALL=(ALL) → can run commands as any user on any host.
- Final ALL → can run any command.
Files in /etc/sudoers.d/ are automatically included by /etc/sudoers. The permission for those files should be 440
To grants sudo to a specific user, you would create a file /etc/sudoers.d/user01 with the following content:
- user01 ALL=(ALL) ALL
To grants sudo to a group, you would create a file /etc/sudoers.d/group01 with the following content:
- %group01 ALL=(ALL) ALL
ansible ALL=(ALL) NOPASSWD:ALL → To allow a user to run commands without a password (commonly used in automation or cloud setups)

Managing Users

The useradd and usermod commands in Linux are used to create and manage user accounts.
They allow administrators to define user details such as home directories, shells, group memberships, and account permissions efficiently.
When a user is added, a home directory is usually created, a primary group with the same name is assigned, and any additional groups the user belongs to are called supplementary groups.

Command	Option	Description
useradd, usermod	`-c "comment"`	Add or update the user’s description or comment field (real name, etc.).
useradd, usermod	`-d /path/to/home`	Specify a custom home directory for the user account.
useradd, usermod	`-m`	Create the home directory if it doesn’t exist (`useradd`) or move it to a new location with `usermod -d`.
useradd, usermod	`-s /bin/bash`	Set or change the user’s login shell.
useradd	`-u UID`	Assign a specific User ID number.
useradd, usermod	`-g group`	Assign a primary group for the user account.
useradd, usermod	`-G group1,group2`	Add or set additional (supplementary) groups for the user.
usermod	`-a`	Append the user to supplementary groups instead of replacing existing ones (used with `-G`).
useradd	`-e YYYY-MM-DD`	Set an account expiration date.
useradd	`-p password`	Assign an encrypted password for the user account.
usermod	`-L`	Lock the user account (disables login).
usermod	`-U`	Unlock a previously locked user account.

Example:
- useradd user01
- useradd -m -c "Dev User" -s /bin/bash -G devteam john
- usermod -aG docker john → -aG command adds user to a supplementary group
- usermod -g group01 user02 → -g option here with usermod command create a different primary group for the user
The passwd command is used to set the password for the user, Only root can change other users’ passwords.
Example:
- passwd user01 → This will prompt the user to enter the password for user01
The userdel command is used to delete a user account from the system. It should be used with the -r option to ensure that the user’s home directory and mail spool are also removed.
Example:
- userdel user01 → Deletes the user, but the home directory remains.
- userdel -r john → Deletes the user and their home directory.

Red Hat Enterprise Linux uses specific UID numbers and ranges for different purposes:
- UID 0 → Always assigned to the superuser account (root).
- UID 1–200 → “System users” assigned statically to system processes by Red Hat.
- UID 201–999 → “System users” used by processes that do not own files; typically assigned dynamically when software is installed. These unprivileged users have limited access to system resources.
- UID 1000+ → Available for assignment to regular users.

Managing Groups

A group must exist before a user can be added to that group.
Groups help manage permissions and access control for multiple users efficiently.
The groupadd command is used to create new group in the system.

Command	Option	Description
`groupadd`	`-g GID`	Assign a specific Group ID.
`groupadd`	`-r`	Create a system group (typically with a GID < 1000).

Example:

- groupadd developers
- groupadd -g 1050 admins
- groupadd -r group02
The groupmod is used to change the group details, such as name of GID

Command	Option	Description
`groupmod`	`-g GID`	Change the group ID.
`groupmod`	`-n new_name old_name`	Rename the group.

Example:
- groupmod -g 1200 developers
- groupmod -n devteam developers
The groupdel command is used to remove the group from the system.
A group cannot be deleted if it is the primary group of any existing user.
You must modify or delete the user first before removing the group.
Example:
- groupdel devteam

Managing User Passwords

User password management in Linux is critical for security and access control. Passwords, aging policies, and account restrictions are managed through files like /etc/shadow and commands such as passwd, chage, and usermod.
The passwords stored in /etc/shadow are encrypted and accessible only by root.
Example:
- user01:$6$CSsXcYG1L/4ZfHr/$2W6evvJahUfzfHpc9X.45Jc6H30E...:19500:0:90:7:14:20000: → Entry of /etc/shadow file
Each line in /etc/shadow contains nine colon-separated fields, including:

Field Name	Example Value	Description
`Username`	`user01`	The account name.
`Encrypted Password`	`$6$CSsXcYG1L/4ZfHr/$2W6evvJahUfzfHpc9X.45Jc6H30E...`	Hashed password using SHA-512.
`Last Password Change`	`19500`	Days since 1970-01-01 when the password was last changed.
`Minimum Days`	`0`	Minimum number of days before the password can be changed again.
`Maximum Days`	`90`	Maximum number of days before the password must be changed.
`Warning Period`	`7`	Number of days before expiration that the user is warned.
`Inactivity Period`	`14`	Days after password expiry before the account is disabled.
`Account Expiration Date`	`20000`	Date (in days since 1970-01-01) when the account will expire.
`Reserved Field`	(empty)	Reserved for future use; usually left blank.

An encrypted password entry looks like:
- $6$CSsXcYG1L/4ZfHr/$2W6evvJahUfzfHpc9X.45Jc6H30E...
- $6$ → SHA-512 algorithm
- CSsXcYG1L/4ZfHr/ → Salt (random data to strengthen security)
- Remainder → Encrypted password hash
You can manage password aging with the chage command:

Command Example	Description
`sudo chage -m 0 -M 90 -W 7 -I 14 user01`	Set minimum (0), maximum (90), warning (7), and inactivity (14) days.
`sudo chage -d 0 user01`	Force user to change password at next login.
`sudo chage -E 2025-12-31 user01`	Expire account on a specific date.
`sudo chage -l user01`	Display password aging information.

Default password aging rules are set in /etc/login.defs using:
- PASS_MAX_DAYS → Max password age
- PASS_MIN_DAYS → Min password age
- PASS_WARN_AGE → Warning period before expiration
Restricting account access (locking) is preferred over deletion when temporarily disabling a user, such as during employee offboarding.

Command	Description
`sudo usermod -L username`	Lock user account (disable password login).
`sudo usermod -U username`	Unlock user account.
`sudo usermod -L -e 2025-12-31 username`	Lock and expire the account simultaneously.

For accounts that should not log in interactively (like service accounts), assign the nologin shell:
- sudo usermod -s /sbin/nologin username
This enhances security while still allowing background processes (like mail or services) to use the account.

Controlling Access to Files

Linux permissions determine what users can do with files and directories. Permissions are divided into three types: read (r), write (w), and execute (x), and apply to owner, group, and others.

Permission	Effect on Files	Effect on Directories
r	Can read the file contents	Can list file names in the directory
w	Can modify the file contents	Can create or delete files in the directory
x	Can execute the file as a command	Can access directory contents and traverse it if file permissions allow

The ls -l command shows detailed information about files and directories:

[user@host ~]$ ls -l test
-rw-rw-r-- 1 student student 0 Feb 8 17:36 test
[user@host ~]$ ls -ld /home
drwxr-xr-x 5 root root 4096 Jan 31 22:00 /home

Below is a breakdown of the ls -l command output to help you understand what each part represents.

First character: File type
- - → Regular file
- d → Directory
- l → Symbolic link
- b/c → Block/character device
- p/s → Special-purpose files
Next nine characters: Permissions
- 1st set of 3 characters → Owner
- 2nd set of 3 characters→ Group
- 3rd set of 3 characters→ Others
- r = read, w = write, x = execute
- - = permission not granted
Number: Number of hard links
Owner and group: File ownership
Example:
- -rw-rw-r-- 1 student student
  - Owner → read & write
  - Group → read & write
  - Others → read only
- drwxr-xr-x 5 root root
  - Owner → read, write, execute
  - Group → read & execute
  - Others → read & execute

Special Permission Flag displayed as the first character in ls -l output (_ in _rwxrwxrwx), can vary depending on file type or special flags.

Numeric Permissions

Each permission has a numeric value:

- r = 4 → Read
- w = 2 → Write
- x = 1 → Execute

Numeric permission calculation:

- Example: rwx → 4 + 2 + 1 = 7
- Example: rw- → 4 + 2 + 0 = 6
- Example: r-- → 4 + 0 + 0 = 4
- Example: r-x → 4 + 0 + 1 = 5

File Permissions and Ownership

The chmod command is used to change file and directory permissions. It stands for “change mode”, since permissions are also known as the mode of a file.

The command accepts a permission instruction followed by one or more files or directories.

Permissions can be changed in two ways:

Symbolic method
Numeric (octal) method

Symbolic Method

chmod [Who][What][Which] file|directory

Part	Meaning	Values
Who	Whose permissions to change	`u` = user (owner), `g` = group, `o` = others, `a` = all
What	Action to perform	`+` = add, `-` = remove, `=` = set exactly
Which	Which permissions	`r` = read, `w` = write, `x` = execute

You can modify one or more existing permissions without resetting all of them.
Use:

+ to add
- to remove
= to set exact permissions

Example:

chmod go-rw file1 → Remove read and write permission for group and others on file1
chmod a+x file2 → Add execute permission for everyone on file2

Using an uppercase X instead of lowercase x adds execute permission only if the file is a directory or already executable for user, group, or others.

The -R option applies changes recursively to all files and subdirectories.

Example:

chmod -R g+rwX demodir
Adds read and write permissions for the group on demodir and all its contents.
Adds execute permission only to directories or files that already have execute permission.

Numeric(Octal) Method

chmod ### file|directory

Each digit represents permissions for user, group, and others, in that order.

Level	Permissions	Calculation	Value
User	`rwx`	`4+2+1`	`7`
Group	`r-x`	`4+0+1`	`5`
Others	`---`	`0+0+0`	`0`

Numeric code: 750

chmod 750 filename

Example:

chmod 644 samplefile → User: read/write, Group: read, Others: read
chmod 750 sampledir → User: read/write/execute, Group: read/execute, Others: none

Changing File and Directory Ownership

When a file is created, it is owned by:

The user who created it.
The user’s primary group (usually a private group for that user).

Sometimes, ownership must be changed to grant access to another user or group.

The chown command is used to changed the ownership of files and directories

chown [OPTION] OWNER:GROUP FILE|DIRECTORY → Syntax

Only root can change file ownership.
Both root and file owner can change group ownership (if the owner is a member of that group).
We can mention just the Owner or Group or Both

Examples:

chown student test_file → Changes owner of test_file to user student
chown -R student test_dir → Recursively changes ownership of test_dir and its contents to student
chown :admins test_dir → Changes the group of test_dir to admins
chown visitor:guests test_dir → Changes both owner to visitor and group to guests

Alternatively, group ownership can be changed using chgrp command

chgrp groupname file|directory
chgrp admins test_dir

Special Permissions in Linux

Special permissions are advanced access features that extend beyond basic user, group, and other permissions. They modify how files and directories behave when accessed or executed.

Special Permission	Effect on Files	Effect on Directories
u+s (setuid)	File executes as the file owner, not the user running it.	No effect.
g+s (setgid)	File executes as the file’s group, not the user’s group.	Files created inside inherit the directory’s group ownership.
o+t (sticky bit)	No effect.	Users can only delete their own files even if they have write access to the directory.

The special permissions on files or directories can be identified by running the ls -l command and examining the output.
Refer to the table below for examples of how special permission bits appear in listings.

Example	Meaning
`-rwsr-xr-x` → `s` replaces `x` in owner field	setuid active (e.g., `/usr/bin/passwd`)
`drwxr-sr-x` → `s` replaces `x` in group field	setgid active (e.g., `/run/log/journal`)
`drwxrwxrwt` → `t` replaces `x` in others field	sticky bit active (e.g., `/tmp`)

Special Permissions can be set in 2 ways:

Symbolic
- u+s, g+s, o+t → Syntax
- chmod g+s directory → Example
Numeric (4th digit)
- 4 = setuid, 2 = setgid, 1 = sticky → Syntax
- chmod 2770 directory → Example

Default Permissions & umask

When a file or directory is created, it’s assigned default permissions determined by two factors:

Type of item (file or directory)
User’s umask (user file-creation mode mask)

The default permission before applying umask for file is 0666 (-rw-rw-rw-) and for directory is 0777 (drwxrwxrwx)

Execute permission isn’t granted automatically to new files for security reasons.

umask defines which permission bits should be removed (masked) from the default permission set when new files or directories are created.

Example:

[user@host ~]$ umask
0002
This clears the write bit for others, resulting in:
- New file → -rw-rw-r--
- New directory → drwxrwxr-x

Umask Examples:

umask	File Permissions	Directory Permissions	Description
`0002`	`-rw-rw-r--`	`drwxrwxr-x`	Default for collaborative environments
`0000`	`-rw-rw-rw-`	`drwxrwxrwx`	Everyone has full access
`007`	`-rw-rw----`	`drwxrwx---`	Restricts access to others
`027`	`-rw-r-----`	`drwxr-x---`	Secure default; no access for others

To set a new umask for the current session, use the command umask 027, where 027 represents the permission mask value and can be changed to any valid octal value as needed.

To make the umask configuration persistent, modify the global settings in /etc/profile or /etc/bashrc. For user-specific overrides, make changes in the ~/.bashrc or ~/.bash_profile files.

You must log out and back in for global umask changes to take effect.

Access Control List (ACL)

Standard Linux file permissions work well when files are used by a single owner and one group.
However, when files must be accessed by multiple users or groups with different permission sets, Access Control Lists (ACLs) come into play.

ACLs allow administrators to grant permissions to multiple named users or groups (by username, group name, UID, or GID) using the same permission flags as standard file permissions:

r – read
w – write
x – execute

Named users and groups are not visible in a simple ls -l output — they are stored within the ACL structure.

Who Can Set ACLs

File owners can set ACLs on their own files or directories.
Privileged users with the CAP_FOWNER capability can set ACLs on any file or directory.
Inheritance: New files and subdirectories inherit ACLs from their parent directory’s default ACL, if one exists.

Note: The parent directory must have the execute (search) permission set for named users/groups to access the contents.

File-System ACL Support

File systems must have ACL support enabled.

XFS: ACLs are built-in.
ext3/ext4 (RHEL 8 and later): ACL option enabled by default.
Older systems: Verify ACL support manually.

You can enable ACL support by mounting the filesystem with the acl option:

mount -o acl /dev/sdX /mountpoint

Or, persist it in /etc/fstab:

UUID=<id> /data ext4 defaults,acl 0 2

Viewing and Interpreting ACL Permissions

The ls -l command gives a minimal hint of ACLs:

[user@host content]$ ls -l reports.txt
-rwxrw----+ 1 user operators 130 Mar 19 23:56 reports.txt

The + at the end of the permission string means extended ACLs exist.

Field	Meaning
user:	User ACL (same as file owner permissions)
group:	Current ACL mask, not group owner permissions
other:	Same as standard “other” file permissions

Viewing File ACLs

Use getfacl to display ACLs:

[user@host content]$ getfacl reports.txt

# file: reports.txt

# owner: user

# group: operators

user::rwx

user:consultant3:---

user:1005:rwx #effective:rw-

group::rwx #effective:rw-

group:consultant1:r--

group:2210:rwx #effective:rw-

mask::rw-

other::---

Breakdown:

Commented Entries
- # file: File name
- # owner: File owner
- # group: Group owner
User Entries
- user::rwx → File owner permissions
- user:consultant3:--- → Named user (no permissions)
- user:1005:rwx #effective:rw- → Named user limited by mask
Group Entries
- group::rwx #effective:rw- → Group owner limited by mask
- group:consultant1:r-- → Named group (read-only)
- group:2210:rwx #effective:rw- → Named group limited by mask
Mask Entry
- mask::rw- → Maximum allowed permissions for named users/groups
Other Entry
- other::--- → No permissions for anyone else

Viewing Directory ACLs

Use getfacl to display ACLs:

[user@host content]$ getfacl .

# file: .

# owner: user

# group: operators

# flags: -s-

user::rwx

user:consultant3:---

group::rwx

group:consultant1:r-x

mask::rwx

other::---

default:user::rwx

default:group::rwx

default:mask::rwx

default:other::---

The execute (x) permission allows directory traversal/search.
Default ACLs determine permissions for newly created files or subdirectories.

Breakdown:

default:user::rwx → Default owner permissions
default:user:name:rx → Default named user permissions
default:group::rwx → Default group permissions
default:mask::rwx → Maximum default permissions
default:other::--- → No permissions for others

Default ACLs do not grant access to the directory itself — they define inheritance rules for new files/subdirectories.

ACL Mask

The ACL mask defines the maximum permissions possible for:

Named users
The group owner
Named groups

It does not affect the file owner or “others”.

View mask: getfacl file
Set mask: setfacl -m m::perms file

When ACLs change, the mask is recalculated automatically unless you use the -n flag or explicitly redefine it.

ACL Permission Precedence

When a process accesses a file:

If user = owner → use file owner ACL
If user matches named user entry → use that entry (limited by mask)
If group matches group owner or named group → use that group’s ACL (limited by mask)
Else → apply the other ACL

Changing ACL Permissions

The setfacl command is used to add, modify, or remove ACLs.

setfacl -m u:name:rX file → Add/modify user
setfacl -m g:name:rw file → Add/modify group
setfacl -m o::- file → Modify other
setfacl -m u::rwx,g:consultants:rX,o::- file → Combine multiple entires
getfacl file-A | setfacl --set-file=- file-B → Using getfacl as input, to copy ACL between two files
setfacl -m m::r file → Setting an Explicit Mask, Restricts named users and groups to read-only, regardless of existing ACLs.
setfacl -R -m u:name:rX directory → Apply ACLs recursively, Use uppercase X to apply execute permission only to directories (and executables)
setfacl -x u:name,g:name file → Remove specific entries
setfacl -b file → Remove all ACLs
setfacl -m d:u:name:rx directory → Set default ACLs on directories. Files created under this directory will not get execute permission automatically, only directories do. Include execute (x) for directory traversal.
setfacl -x d:u:name directory → Delete a specific default ACL
setfacl -k directory → Delete all default ACLs

Command	Purpose
`getfacl file`	View ACLs
`setfacl -m`	Modify/add ACLs
`setfacl -x`	Delete specific ACL entries
`setfacl -b`	Remove all ACLs
`setfacl -k`	Remove all default ACLs
`setfacl -R`	Apply changes recursively
`mount -o acl`	Enable ACL support on mount

🐧 Linux — The Foundation for Every Developer

⬇️ Jump To

Introduction to Linux

Why Learn Linux?

Key Features

Linux Architecture Overview

Linux Distributions

Accessing the Command Line in Linux

Bash Shell

Login using SSH

Host Verification

Security Tip

Logout

Basic Linux commands and Shortcuts

Common Commands

Viewing File Contents

Counting File Data

Command History and Continuation

Command Continuation

Other Useful Commands

Tab Completion

Useful Command-line Editing Shortcuts

SSH Key-Based Authentication

Generating SSH Keys

Sharing the Public Key

SSH-agent

Managing File Systems

Basic Linux Commands You Should Know

Command-line File Management

Managing Links Between Files

Command-Line Expansions

Tilde Expansion (~)

Brace Expansion ({})

Variable Expansion ($VARIABLE)

Command Substitution ($(command))

Protecting Arguments from Expansion

Redirecting Output to a File or Program

Standard Input, Standard Output, and Standard Error

Redirecting Output to a File

Editing Text Files

Basic Vim Workflow

Changing the Shell Environment

Environment Variables

Automatic Variable Setup

Unsetting and Unexporting Variables

Managing Users and Groups

Users

Groups

Superuser Access

Switching Users

Running Commands with sudo

Configuring Sudo Access

Managing Users

Managing Groups

Managing User Passwords

Controlling Access to Files

File Permissions and Ownership

Symbolic Method

Numeric(Octal) Method

Changing File and Directory Ownership

Special Permissions in Linux

Default Permissions & umask

Access Control List (ACL)

Who Can Set ACLs

File-System ACL Support

Viewing and Interpreting ACL Permissions

Viewing File ACLs

Viewing Directory ACLs

ACL Mask

ACL Permission Precedence

Changing ACL Permissions

Thanks for your interest!

Tilde Expansion (`~`)

Brace Expansion (`{}`)

Variable Expansion (`$VARIABLE`)

Command Substitution (`$(command)`)

Running Commands with `sudo`