What is the command that changes the directory from the current directory to the home directory of a user named Bob?

35.5 Changing directory

The pwd command can be used to determine the present working directory. and the cd command can be used to change the current working directory. When changing directory either the full pathname or the relative pathname is given. If a / precedes the directory name then it is a full pathname, else it is a relative path. Some special character sequences are used to represent other directory, such as the directory above the current directory is specified by a double dot (. .).

Thus to move to the directory above the command cd..can be used. If the cd command is used without any preceding directory specifier then the directory will be changed to the user's home directory. Some example command sessions are given next.

13.2.6.1 Trusted Host: rcp

The following examples show various uses of rcp and compares them to their OpenVMS DECnet proxy login counterparts.

In the first example, rcp cuhhmd: /usr/user1/junk myfile copies the file /usr/user1/junk from the trusted remote host cuhhmd to myfile in the present working directory on the local host. In the second example, rcp myfile cuhhmd:/usr/user1/junk copies myfile in the present working directory on the local host to the file junk in the directory /usr/user1 on the remote trusted host cuhhmd. For file transfer to occur, the same login name must own the remote directory /usr/user1 on cuhhmd, as well as the files on the local host, unless modified by a cuhhmd:-user1. rhosts entry. Moreover, the directory /usr/user1 must already exist on cuhhmd; the command will not create it.

The third example, rcp -r ~ fred/programs cuhhmd: /usr/ fred/ programs, illustrates copying a directory structure (− r option for recursive copying) across the network. In the UNIX example given here, the local directory programs, any subdirectories of programs, and all files therein are recreated on the remote host cuhhmd in the directory /user/fred/programs in the same way as the cp command copies directory structures on a single host (see Section 8.3.1).

In the fourth example, rcp myfile cuhhmd:programs/junk illustrates the use of a relative pathname to specify a file on the remote host. The command copies myfile to ~ user/programs/ junk on the remote host. Relative pathnames on a local host start from the present working directory; relative pathnames on a remote host start from the parent directory of the user. Note that if the directory ~ user/programs on the remote host did not exist, it would not have been created. Rather, an error would have occurred.

The last example extends the concept of using a relative pathname. Because rcp myfile cuhhmd:programs does not include an output filename (programs is a directory), the file is copied with the same name to ~ user/programs/myfile.

Collecting Process Information

Distinguishing between malware and legitimate processes on a Linux system involves a methodical review of running processes. In some cases, malicious processes will exhibit characteristics that immediately raise a red flag, such as established network connections with an Internet Relay Chart (IRC) server, or the executable stored in a hidden directory. More subtle clues that a process is malicious include files that it has open, a process running as root that was launched from a user account that is not authorized to have root access, and the amount of system resources it is consuming. The top command shows which processes are using the most system resources.

The ps command is useful for obtaining an overview of running processes on the subject system, with the options ps -auxeww for all processes, their associated terminal (tty), and their environment such as the command line options and present working directory (“pwd”). A simplified process listing without the environment information can be obtained by excluding the “e” option or using ps -ealf or -ef options. The following case scenario demonstrates how characteristics of a process can expose malware and lead digital investigators into a cold, dark place of hidden information.

Case Scenario

8.3.2 Directory Navigation

Both the C shell and the Korn shell offer extensions to the shell-independent command cd for changing the current directory. The C shell provides the shell variable cdpath and the directory stack, whereas the Korn shell includes CDPATH and OLDPWD. The Bourne-Again shell both recognizes CDPATH and OLDPWD and includes a directory stack. The variables cdpath and CDPATH let you move easily to a commonly used directory, irrespective of the current directory. In other words, you can move from the present working directory to a directory defined by cdpath or CDPATH without regard to the relative or absolute pathname required to get to that directory. The Open VMS DEFINE command achieves a similar result, with one notable difference: DEFINE establishes a pointer to a specific directory, whereas cdpath and CDPATH establish a search list to potential parent directories of any subdirectory that is used frequently.

In the first example, Open VMS’s DEFINE establishes a synonym, TEST, for the directory specification DUA2: [USER.TEST], The UNIX command set cdpath = /user/test establishes a pointer to all subdirectories of / user/test. Hence, changing the directory to temp via a relative file definition makes /user/test/temp the present working directory irrespective of the current directory. The exception is the existence of /programs/new/ temp, in which case that directory would have been preferentially made the present working directory. If you are working with the Korn or Bourne-Again shell, you would achieve the same results by defining CDPATH as / user/test. The last example, set cdpath = (/user/doc /user/com), illustrates giving multiple directory arguments to cdpath by enclosing them in parentheses and separating them with a blank. The Korn and Bourne-Again shells separate each directory with a colon (just as they do the directories in the PATH variable) and omit the enclosing parenthesis.

A directory stack is a list of directory specifications retained by the C and Bourne-Again shells for the current terminal session only. Directory specifications can be made part of the stack and recalled as required. The present working directory is always at the top of the directory stack. The following scenario illustrates the use of a directory stack.

The examples begin in the directory /user2/programs/new. The command pushd /usr places (pushes) the directory /usr onto the directory stack and makes it the present working directory. Note that the pushd command displays the directory stack; other commands that manipulate the stack also display it. Note also that pushd without arguments (not shown) switches the top two entries of the stack. The C shell command dirs interrogates the contents of the directory stack. Further use of the pushd command (pushd /etc) deepens the stack, and /etc becomes the present working directory. The command pushd + 1 makes the first directory stack entry the last, and the last the first; that is, it rotates the stack + 1 (one) time. The popd command discards the top of the directory stack (the present working directory) and makes the second entry in the stack the new present working directory. Note the use of cd /tmp, which changes the top entry in the stack to /tmp, but does not change other entries in the stack.

While the Korn shell has no such elaborate directory stack, it does keep a record of the most recent previous working directory in the OLDPWD variable. You can thus go back and forth between two directories simply using the command cd $OLDPWD. The Korn and Bourne-Again shells use a directory sequence, ~–, as equivalent to the variable. Thus, the command cd ~ – is the same as the command cd $0LDPWD. Similarly, the two shells interpret ~ + as a reserved variable for the current directory, PWD.

FTP Data Transfers

At some point in the FTP conversation between client and server port 21, the user will use a command that will trigger a file transfer. The transfer might not be the actual file itself, such as with get or put. Often, the user requests a file directory listing from the present working directory on the server with the dir command, usually to ensure that the desired file is there or to check the spelling after the first transfer attempt has failed. These actions require the server to set up an FTP data connection. (The control connection is just a Telnet remote access session and is inappropriate for bulk data transfer anyway.) The FTP model of control and data connections is shown in Figure 24.8.

Consider what happens when a user at an FTP client types in the dir command to receive a list of the contents of the remote host’s directory. This requires the establishment of a data connection on the part of the server. The server normally uses well-known TCP port 20 as the server end of the data connection. But how does the client know which ephemeral port to listen on for the data?

The server sends an FTP PORT command over the control connection to the client with this information. This tells the client which port should be used at the client end for the data connection. So that there is no misunderstanding, the server includes the client’s IP address as well. Thus, the command really supplies socket information. The PORT command is sent over the control connection and is formatted as if it were data to appear on a Telnet terminal, including control characters such as \n (new line).

The port number is expressed as two independent numbers. The first is multiplied by 256 and added to the second (which must be in the range 0–255) to give the client’s port number. So, if the PORT command ends with the numbers 14, 234 (excluding the control characters) the port number the client should use for the data connection is 3818 (14×256=3584+234=3818).

The client issues a passive open on port 3818, and the FTP server now sends a TCP SYN message to open the TCP session and send the dir listing as requested. The server usually closes the data connection as soon as the transfer is complete.

The control connection process of obtaining a simple dir listing from a remote FTP server is shown in Figure 24.9. Note that the client issues FTP commands and the server replies with codes.

The activity on the data connection is shown in Figure 24.10. Although in many cases the data connection uses well-known port 20 on the server, it does not have to.