202-450 Exam Dumps - LPIC-2 Certified Linux Engineer Questions and Answers

To prevent anonymous FTP users from listing uploaded file names, the upload directory must not have the read or execute permission set for the anonymous user or group. The read permission allows the user to view the contents of a file or directory, while the execute permission allows the user to enter or search a directory. Therefore, removing both permissions will prevent the user from accessing or listing the files in the upload directory. However, the write permission can be left on, as it allows the user to create or modify files in the directory, which is the purpose of an upload directory. References:

• LPIC-2 Exam 202-450 Objectives, Topic 211: File Sharing, Objective 211.2: Manage FTP Service, Weight: 3
• LPIC-2 Linux Professional Institute Certification Study Guide: Exam 201 and Exam 202, Chapter 9: File Sharing, FTP, p. 353-354
• Linux File Permissions Explained, Read, Write, and Execute Permissions, p. 2-4

 PAM modules are organized and stored as shared object files within the /lib/ directory hierarchy. A shared object file is a file that contains executable code and data that can be loaded into memory and used by one or more programs. This allows PAM modules to be dynamically loaded and unloaded by the PAM library as needed, without requiring recompilation or relinking of the programs that use them. The /lib/ directory hierarchy contains subdirectories for different architectures and operating systems, such as /lib/x86_64-linux-gnu/ or /lib64/. The PAM modules are usually located in a subdirectory named security, such as /lib/x86_64-linux-gnu/security/ or /lib64/security/. The PAM modules have names that start with pam_ and end with .so, such as pam_unix.so or pam_cracklib.so12.

References:

• PAM Modules: A section from the Linux-PAM System Administrators’ Guide that explains what PAM modules are, how they are named, and where they are located.
• An introduction to Pluggable Authentication Modules (PAM) in Linux: An article from Red Hat that introduces the concept and usage of PAM in Linux, which includes a description of PAM modules and their location.

 In the main Postfix configuration file, which is usually /etc/postfix/main.cf, service definitions are continued on the next line by starting the following line with white space indentation. This means that the line must begin with one or more spaces or tabs. This is useful when a service definition has many parameters or options that would make the line too long or hard to read. For example, a service definition for the smtpd daemon could look like this:

The first line defines the service name, type, private flag, unpriv flag, chroot flag, wakeup time, maxproc limit, and command. The following lines, indented with white space, define additional options for the smtpd command, such as the syslog name, the SASL authentication, and the recipient restrictions. Each option is prefixed with -o and separated by white space.

References: You can find more information about the main Postfix configuration file and the service definition syntax in the following resources:

• Postfix Basic Configuration
• Postfix Architecture Overview

The word missing from the excerpt of a named.conf file is “acl”. This is because the excerpt is defining an access control list (ACL) for the DNS server. The ACL is used to restrict access to the DNS server and is defined in the named.conf file. The syntax for defining an ACL is:

acl name { address_match_list; };

where name is the name of the ACL, and address_match_list is a list of IP addresses, networks, or keywords that match the clients that are allowed or denied access.References:

• LPIC-2 Overview
• LPIC-2 202-450
• BIND 9 Administrator Reference Manual

 After running ssh-keygen and accepting the default values, the following files are changed or created in the user’s home directory under the .ssh subdirectory:

• ~/.ssh/id_rsa: This file contains the private key of the user, which is used for authenticating the user to a remote server. The private key is encrypted with a passphrase, which can be left empty for convenience, but this is not recommended for security reasons. The private key should be kept secret and protected by the user, and should not be copied or shared with anyone else.
• ~/.ssh/id_rsa.pub: This file contains the public key of the user, which is used for verifying the user’s identity by the remote server. The public key can be copied and distributed to any server that the user wants to access via SSH. The public key can also be appended to the ~/.ssh/authorized_keys file on the remote server, which allows the user to log in without entering a password.

The other options are not correct. There is no file called ~/.ssh/id_rsa.key, ~/.ssh/id_rsa.prv, or ~/.ssh/id_rsa.crt created by ssh-keygen. The .key, .prv, and .crt extensions are not used by ssh-keygen, and they may be confused with other types of keys or certificates.

References:

• How to Use ssh-keygen to Generate a New SSH Key?
• How To Set Up SSH Keys
• SSH Essentials: Working with SSH Servers, Clients, and Keys

When using a web server certificate that is signed by an intermediate certification authority, the web server must also send the intermediate certificate to the client browser, so that the browser can verify the whole chain of trust. To do this, the web server must have both the web server certificate and the intermediate certificate in one file, which is specified in the SSLCertificateFile directive of Apache HTTPD. This way, the web server can send both certificates to the client in one response. The order of the certificates in the file is important: the web server certificate must come first, followed by the intermediate certificate. The file can be created by concatenating the two certificates with a text editor or the cat command. References:

• LPIC-2 202 exam objectives, topic 218.1: Implementing HTTPS
• Apache HTTPD documentation, section: SSLCertificateFile Directive
• How to install an Intermediate SSL Certificate on Apache

The verbose_proctitle parameter in the Dovecot configuration file controls whether Dovecot adds extra information to its process titles. When this parameter is set to yes, Dovecot will show the username, IP address of the peer, and the connection status for each process. This can help to associate the processes with users and peers, and to monitor the activity of the mail server. For example, the process titles may look like this:

dovecot/imap-login user@domain.com [192.168.0.1] dovecot/imap user@domain.com [192.168.0.1] IDLE

The verbose_proctitle parameter can be set in the /etc/dovecot/dovecot.conf file or in the /etc/dovecot/conf.d/10-master.conf file. The default value is no, which means that Dovecot will only show the process name and the command state. For example:

dovecot/imap-login dovecot/imap [idling]

The other options are not related to the process titles. The --with-linux-extprocnames option for ./configure when building Dovecot is not a valid option. The sys.ps.allow_descriptions and proc.all.show_status parameters in sysctl.conf or /proc are not valid parameters. The process_format parameter in the Dovecot configuration is used to specify the format of the process name, not the process title.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.4: Managing a dovecot server
• Process Titles — Dovecot documentation, Dovecot Documentation
• Dovecot Configuration Parameters: verbose_proctitle, Dovecot Documentation
• Dovecot Configuration Parameters: process_name, Dovecot Documentation
• How to monitor dovecot processes? - Server Fault, Forum

The Samba service that handles the membership of a file server in an Active Directory domain is winbindd. Winbindd is a daemon that provides a number of services to the Name Service Switch (NSS) capability of the system, such as resolving user and group information from a Windows NT server and authentication. Winbindd can also be used to join a Samba file server to an Active Directory domain and authenticate domain users to access the file shares12 References:

• Chapter 4. Using Samba for Active Directory Integration Red Hat Enterprise Linux 7 - Red Hat Customer Portal
• Winbind: Use of Domain Accounts - SambaWiki

The status parameter in an OpenVPN server configuration file specifies the name of a file where OpenVPN writes information about the current status of the VPN tunnel, such as the time, bytes sent and received, and the IP address and port of each connected client. This file can be used to monitor the VPN activity and troubleshoot any issues. The file does not contain any information about errors and warnings generated by the openvpn daemon, as those are written to the log file specified by the log or log-append parameter. The file also does not contain any historical information about the clients who have connected at some point, as it only shows the current state of the VPN tunnel. 

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

https://openvpn-status.readthedocs.io/en/latest/api.html

Samba cannot use /etc/passwd and /etc/shadow directly because they store passwords in a different format than CIFS. CIFS passwords are encrypted using a one-way hash function, while Unix passwords are encrypted using a two-way cipher. Therefore, Samba needs a separate password file that stores the CIFS passwords in a compatible format. This file is usually called smbpasswd and can be created or updated using the smbpasswd command123 References:

• Chapter 9. Users and Security - Samba
• smbpasswd - Samba
• Chapter 20. samba authentication - linux-training.be

Chapter 9. Users and Security - Samba3

Chapter 9. Users and Security - Samba