William J. Buchanan BSc, CEng, PhD, in
Software Development for Engineers, 1997 The pwd command can be used to determine the present working directory. and the
cd command can be used to change the current working directory. When changing directory either the full pathname or the relative pathname is given. If a / precedes the directory name then it is a full pathname, else it is a relative path. Some special character sequences are used to represent other directory, such as the directory above the current directory is specified by a double dot (. .). Thus to move
to the directory above the command cd..can be used. If the cd command is used without any preceding directory specifier then the directory will be changed to the user's home directory. Some example command sessions are given next. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780340700143500803 NetworkingPhilip Bourne, ... Joseph McMullen, in UNIX for OpenVMS Users (Third Edition), 2003 13.2.6.1 Trusted Host: rcpThe following examples show various uses of rcp and compares them to their OpenVMS DECnet proxy login counterparts. In the first example, rcp cuhhmd: /usr/user1/junk myfile copies the file /usr/user1/junk from the trusted remote host cuhhmd to myfile in the present working directory on the local host. In the second example, rcp myfile cuhhmd:/usr/user1/junk copies myfile in the present working directory on the local host to the file junk in the directory /usr/user1 on the remote trusted host cuhhmd. For file transfer to occur, the same login name must own the remote directory /usr/user1 on cuhhmd, as well as the files on the local host, unless modified by a cuhhmd:-user1. rhosts entry. Moreover, the directory /usr/user1 must already exist on cuhhmd; the command will not create it.
The third example, rcp -r ~ fred/programs cuhhmd: /usr/ fred/ programs, illustrates copying a directory structure (− r option for recursive copying) across the network. In the UNIX example given here, the local directory programs, any subdirectories of programs, and all files therein are recreated on the remote host cuhhmd in the directory /user/fred/programs in the same way as the cp command copies directory structures on a single host (see Section 8.3.1). In the fourth example, rcp myfile cuhhmd:programs/junk illustrates the use of a relative pathname to specify a file on the remote host. The command copies myfile to ~ user/programs/ junk on the remote host. Relative pathnames on a local host start from the present working directory; relative pathnames on a remote host start from the parent directory of the user. Note that if the directory ~ user/programs on the remote host did not exist, it would not have been created. Rather, an error would have occurred. The last example extends the concept of using a relative pathname. Because rcp myfile cuhhmd:programs does not include an output filename (programs is a directory), the file is copied with the same name to ~ user/programs/myfile. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781555582760500133 Malware Incident ResponseJames M. Aquilina, in Malware Forensics, 2008 Collecting Process InformationDistinguishing between malware and legitimate processes on a Linux system involves a methodical review of running processes. In some cases, malicious processes will exhibit characteristics that immediately raise a red flag, such as established network connections with an Internet Relay Chart (IRC) server, or the executable stored in a hidden directory. More subtle clues that a process is malicious include files that it has open, a process running as root that was launched from a user account that is not authorized to have root access, and the amount of system resources it is consuming. The top command shows which processes are using the most system resources. The ps command is useful for obtaining an overview of running processes on the subject system, with the options ps -auxeww for all processes, their associated terminal (tty), and their environment such as the command line options and present working directory (“pwd”). A simplified process listing without the environment information can be obtained by excluding the “e” option or using ps -ealf or -ef options. The following case scenario demonstrates how characteristics of a process can expose malware and lead digital investigators into a cold, dark place of hidden information. Case Scenario Entering the Twilight Zone — An LKM RootkitThe information security department in an organization observed a brute-force attack against an SSH server on a number of their systems. Subsequent network activities from one of those systems raised sufficient concern to capture and examine volatile data. The last two items in the process listing on the subject system revealed a process named “klogd —x,” with “/dev/tyyec” as its present working directory shown in bold below. The intruder evidently forgot to hide this process, because even a trusted version of the ps command will not display information that is concealed by an LKM rootkit. #/mnt/trustedtools/ps -auxeww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.1 1336 476 ? S 16:20 0:04 init HOME=/ TERM=linux root 2 0.0 0.0 0 0 ? SW 16:20 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 16:20 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 16:20 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 16:20 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 16:20 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 16:20 0:00 [kupdated] root 8 0.0 0.0 0 0 ? SW 16:20 0:00 [mdrecoveryd] root 16 0.0 0.0 0 0 ? SW 16:20 0:00 [kjournald] <cut for brevity> root 810 0.0 0.5 4144 1436 tty1 S 16:21 0:00 -bash HOME=/root PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin SHELL=/bin/bash TERM=linux MAIL=/var/mail/root LOGNAME=root root 1885 0.0 0.7 6692 2028 ? S 16:24 0:00/usr/sbin/sshd CONSOLE=/dev/console TERM=linux INIT_VERSION=sysvinit-2.84 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin RUNLEVEL=3 runlevel=3 PWD=/ LANG=en_US.UTF-8 PREVLEVEL=N previous=N HOME=/ SHLVL=2 _=/sbin/initlog eco 1887 0.0 0.8 6732 2240 ? S 16:24 0:00/usr/sbin/sshd CONSOLE=/dev/console TERM=linux INIT_VERSION=sysvinit-2.84 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin RUNLEVEL=3 runlevel=3 PWD=/ LANG=en_US.UTF-8 PREVLEVEL=N previous=N HOME=/ SHLVL=2 _=/sbin/initlog eco 1888 0.0 0.5 4132 1408 pts/8 S 16:24 0:00 -bash USER=eco LOGNAME=eco HOME=/home/eco PATH=/usr/local/bin:/bin:/usr/bin MAIL=/var/mail/eco SHELL=/bin/bash SSH_CLIENT=172.16.215.131 48799 22 SSH_TTY=/dev/pts/8 TERM=xterm root 5723 0.0 0.1 1364 448 pts/8 S 17:26 0:00 klogd -x PWD=/dev/tyyec SHLVL=1 _=./swapd OLDPWD=/dev/tyyec/ecmf root 5787 0.0 0.1 1352 404 pts/8 S 17:34 0:00 klogd -x PWD=/dev/tyyec SHLVL=1 _=./swapd OLDPWD=/dev/tyyec/ecmf The most obvious problem was that the “/dev/tyyec” directory did not appear in a directory listing, but could be accessed by blindly changing the directory to that location, as shown here. #/mnt/cdrom/ls/dev/tyy* ls:/dev/tyy*: No such file or directory # cd/dev/tyyec #/mnt/cdrom/ls adore-ng.o ava cleaner.o log relink startadore symsed swapd zero.o Another discrepancy to note is that the name of the process “klogd -x” does not bear any resemblance to the “swapd” executable that launched the process. In addition, this process was executed from its current directory “./swapd,” which is uncommon for system processes and is generally associated with processes executed by a user. Furthermore, this process is running as root but the controlling terminal (pts/8 shown in the line preceding those in bold above) is associated with the “eco” user account, which should not have root access according to the system administrators. These clues led digital investigators to conclude that the Adore LKM rootkit was running on the system. If it had not been for the intruder's misstep of not instructing the rootkit to hide one running process, the presence of malware might have gone undetected, unless the digital investigators had examined the memory dump from the subject system, as described in Chapter 3. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597492683000025 File Management RevisitedPhilip Bourne, ... Joseph McMullen, in UNIX for OpenVMS Users (Third Edition), 2003 8.3.2 Directory NavigationBoth the C shell and the Korn shell offer extensions to the shell-independent command cd for changing the current directory. The C shell provides the shell variable cdpath and the directory stack, whereas the Korn shell includes CDPATH and OLDPWD. The Bourne-Again shell both recognizes CDPATH and OLDPWD and includes a directory stack. The variables cdpath and CDPATH let you move easily to a commonly used directory, irrespective of the current directory. In other words, you can move from the present working directory to a directory defined by cdpath or CDPATH without regard to the relative or absolute pathname required to get to that directory. The Open VMS DEFINE command achieves a similar result, with one notable difference: DEFINE establishes a pointer to a specific directory, whereas cdpath and CDPATH establish a search list to potential parent directories of any subdirectory that is used frequently.
In the first example, Open VMS’s DEFINE establishes a synonym, TEST, for the directory specification DUA2: [USER.TEST], The UNIX command set cdpath = /user/test establishes a pointer to all subdirectories of / user/test. Hence, changing the directory to temp via a relative file definition makes /user/test/temp the present working directory irrespective of the current directory. The exception is the existence of /programs/new/ temp, in which case that directory would have been preferentially made the present working directory. If you are working with the Korn or Bourne-Again shell, you would achieve the same results by defining CDPATH as / user/test. The last example, set cdpath = (/user/doc /user/com), illustrates giving multiple directory arguments to cdpath by enclosing them in parentheses and separating them with a blank. The Korn and Bourne-Again shells separate each directory with a colon (just as they do the directories in the PATH variable) and omit the enclosing parenthesis. A directory stack is a list of directory specifications retained by the C and Bourne-Again shells for the current terminal session only. Directory specifications can be made part of the stack and recalled as required. The present working directory is always at the top of the directory stack. The following scenario illustrates the use of a directory stack.
The examples begin in the directory /user2/programs/new. The command pushd /usr places (pushes) the directory /usr onto the directory stack and makes it the present working directory. Note that the pushd command displays the directory stack; other commands that manipulate the stack also display it. Note also that pushd without arguments (not shown) switches the top two entries of the stack. The C shell command dirs interrogates the contents of the directory stack. Further use of the pushd command (pushd /etc) deepens the stack, and /etc becomes the present working directory. The command pushd + 1 makes the first directory stack entry the last, and the last the first; that is, it rotates the stack + 1 (one) time. The popd command discards the top of the directory stack (the present working directory) and makes the second entry in the stack the new present working directory. Note the use of cd /tmp, which changes the top entry in the stack to /tmp, but does not change other entries in the stack. While the Korn shell has no such elaborate directory stack, it does keep a record of the most recent previous working directory in the OLDPWD variable. You can thus go back and forth between two directories simply using the command cd $OLDPWD. The Korn and Bourne-Again shells use a directory sequence, ~–, as equivalent to the variable. Thus, the command cd ~ – is the same as the command cd $0LDPWD. Similarly, the two shells interpret ~ + as a reserved variable for the current directory, PWD. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978155558276050008X File Transfer ProtocolWalter Goralski, in The Illustrated Network (Second Edition), 2017 FTP Data TransfersAt some point in the FTP conversation between client and server port 21, the user will use a command that will trigger a file transfer. The transfer might not be the actual file itself, such as with get or put. Often, the user requests a file directory listing from the present working directory on the server with the dir command, usually to ensure that the desired file is there or to check the spelling after the first transfer attempt has failed. These actions require the server to set up an FTP data connection. (The control connection is just a Telnet remote access session and is inappropriate for bulk data transfer anyway.) The FTP model of control and data connections is shown in Figure 24.8. Figure 24.8. FTP control and data connections, showing how both are used in an FTP application. Consider what happens when a user at an FTP client types in the dir command to receive a list of the contents of the remote host’s directory. This requires the establishment of a data connection on the part of the server. The server normally uses well-known TCP port 20 as the server end of the data connection. But how does the client know which ephemeral port to listen on for the data? The server sends an FTP PORT command over the control connection to the client with this information. This tells the client which port should be used at the client end for the data connection. So that there is no misunderstanding, the server includes the client’s IP address as well. Thus, the command really supplies socket information. The PORT command is sent over the control connection and is formatted as if it were data to appear on a Telnet terminal, including control characters such as \n (new line). The port number is expressed as two independent numbers. The first is multiplied by 256 and added to the second (which must be in the range 0–255) to give the client’s port number. So, if the PORT command ends with the numbers 14, 234 (excluding the control characters) the port number the client should use for the data connection is 3818 (14×256=3584+234=3818). The client issues a passive open on port 3818, and the FTP server now sends a TCP SYN message to open the TCP session and send the dir listing as requested. The server usually closes the data connection as soon as the transfer is complete. The control connection process of obtaining a simple dir listing from a remote FTP server is shown in Figure 24.9. Note that the client issues FTP commands and the server replies with codes. Figure 24.9. FTP control connection, showing how a directory listing proceeds. The activity on the data connection is shown in Figure 24.10. Although in many cases the data connection uses well-known port 20 on the server, it does not have to. Figure 24.10. FTP data connection. The connection does not have to use port 20 on the server. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128110270000242 What command will change the current directory to your home directory?Summary. Which command is used to change directory to another directory?Use the cd command to move from your present directory to another directory. You must have execute (search) permission in the specified directory.
How do I change my current directory to home?Since home is the parent of the directory called newuser, these two directories are separated with a /. If you're in your login directory, you can move up one directory, to home, just by typing: cd .. The relative path describes the directory you want to cd to in terms which are relative to your current directory.
What Linux command can be used to change the directory from current to home directory?To change to your home directory, type cd and press [Enter]. To change to a subdirectory, type cd, a space, and the name of the subdirectory (e.g., cd Documents) and then press [Enter]. To change to the current working directory's parent directory, type cd followed by a space and two periods and then press [Enter].
|