Linux Foundation Certified System Administrator (LFCS) Practice Exam

What the Linux Foundation Certified System Administrator (LFCS) exam covers

• Essential Commands264 questions
• Operation of Running Systems286 questions
• User and Group Management253 questions
• Networking258 questions
• Storage Management207 questions

Free Linux Foundation Certified System Administrator (LFCS) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 1,268.

1. Question 1Essential CommandsSelect all that apply

   Which TWO commands manage users/groups? (Choose TWO)

   • AgroupaddCorrect
   • Buseradd / usermodCorrect
   • Ctraceroute
   • Dnslookup
   ✓ Correct answer: A, B

   groupadd creates new system or user groups by writing entries to /etc/group and /etc/gshadow, while useradd provisions new user accounts by populating /etc/passwd, /etc/shadow, and creating home directories. usermod extends this by modifying existing user properties such as supplementary group membership (-aG), login shell, and home directory. Together these utilities form the core identity management toolchain on Linux systems, enabling administrators to enforce group-based access control policies.

   Why the other options are wrong

   • Ctraceroute is incorrect because it traces the network path to a remote host by sending ICMP or UDP packets with incrementing TTL values, serving as a network diagnostic tool with no user or group management capability.
   • Dnslookup is incorrect because it queries DNS servers to resolve domain names to IP addresses and has no relationship to local user or group account administration.
2. Question 2Operation of Running Systems

   During boot the system stops and reports it could not mount a filesystem listed in /etc/fstab, dropping into emergency mode. After the maintenance shell, which statement about emergency.target versus rescue.target is correct?

   • Aemergency.target provides only a minimal shell with the root filesystem mounted read-only and no other services, while rescue.target additionally mounts local filesystems and starts basic single-user servicesCorrect
   • Bemergency.target starts networking and multi-user services, while rescue.target only gives a shell
   • CBoth targets are identical and start the full graphical environment
   • Drescue.target mounts no filesystems at all, while emergency.target mounts everything in fstab
   ✓ Correct answer: A

   emergency.target is the most minimal recovery state: it spawns a single root shell with the root filesystem typically mounted read-only and brings up essentially nothing else, which is ideal when even mounting local volumes is failing. rescue.target (the systemd equivalent of single-user mode) goes further by mounting local filesystems and starting the sysinit basics before presenting a maintenance shell. Knowing the difference helps you choose the right target when fstab or storage problems block normal boot.

   Why the other options are wrong

   • Bemergency.target starts networking and multi-user services, while rescue.target only gives a shell is incorrect because it reverses their scope; emergency is the more minimal of the two.
   • CBoth targets are identical and start the full graphical environment is incorrect because neither starts a graphical environment and they differ in how many services and mounts they bring up.
   • Drescue.target mounts no filesystems at all, while emergency.target mounts everything in fstab is incorrect because rescue.target does mount local filesystems and emergency.target deliberately avoids mounting beyond a read-only root.
3. Question 3NetworkingSelect all that apply

   An administrator is debugging why an SSH connection to a server hangs at 'Connecting...' with no password prompt. Which TWO commands help determine whether the SSH port is reachable and listening? (Choose TWO)

   • Ass -ltn (on the server) to confirm sshd is listening on port 22Correct
   • Bssh -v user@server (on the client) to view verbose connection negotiationCorrect
   • Cchmod 600 /etc/ssh/sshd_config to fix the hang
   • Ddig server to confirm the SSH service is up
   ✓ Correct answer: A, B

   A hang before any prompt usually means a network/listening problem rather than authentication. On the server, 'ss -ltn' shows whether sshd is actually bound and LISTENing on the expected port, ruling out a stopped daemon or wrong port. From the client, 'ssh -v' prints each step of the connection (TCP connect, key exchange, banner) so you can see precisely where it stalls, such as the TCP connection never completing because a firewall is silently dropping packets.

   Why the other options are wrong

   • Cchmod 600 /etc/ssh/sshd_config to fix the hang is incorrect because the file's mode does not cause a connection hang, and changing it does not test reachability.
   • Ddig server to confirm the SSH service is up is incorrect because dig only resolves DNS names and tells you nothing about whether the SSH port is open or listening.
4. Question 4Essential Commands

   You must create a zip archive project.zip containing the directory project/ and all of its subdirectories and files. Which command is correct?

   • Azip -r project.zip projectCorrect
   • Bzip project.zip project
   • Czip -x project.zip project
   • Dunzip -r project.zip project
   ✓ Correct answer: A

   The -r (recurse) option directs zip to descend into the named directory and include every file and subdirectory beneath it in the archive. Without -r, zip would only store the directory entry itself and skip its contents. The first non-option argument is the archive name and the remaining arguments are the items to add.

   Why the other options are wrong

   • Bzip project.zip project is incorrect because without -r it adds only the project directory entry and not its contents recursively.
   • Czip -x project.zip project is incorrect because -x specifies files to exclude, so no contents would be archived as intended.
   • Dunzip -r project.zip project is incorrect because unzip extracts archives; it does not create them.
5. Question 5Essential CommandsSelect all that apply

   Your shell prompt should permanently include the current working directory and you must also ensure your custom bin directory is searched for commands in every new login shell. Which TWO actions, placed in your shell startup files, accomplish these goals? (Choose TWO)

   • ASet and export PS1 to include the \w escape, e.g. export PS1='\u@\h:\w\$ 'Correct
   • BAdd 'export PATH=$PATH:$HOME/bin' to your ~/.bash_profileCorrect
   • CSet export TERM=$HOME/bin to register the directory
   • DRun 'chmod +x ~/.bashrc' to enable PATH inheritance
   ✓ Correct answer: A, B

   The PS1 variable defines the primary prompt string, and the \w escape expands to the current working directory, so setting PS1 with \w in a startup file makes the prompt always show the directory. Appending $HOME/bin to PATH and exporting it ensures the shell searches that directory for commands in new sessions; placing it in ~/.bash_profile applies it to login shells. Together these two startup-file edits achieve both stated goals.

   Why the other options are wrong

   • CSet export TERM=$HOME/bin to register the directory is incorrect because TERM describes the terminal type for screen control and has nothing to do with the command search path; this would corrupt terminal handling.
   • DRun 'chmod +x ~/.bashrc' to enable PATH inheritance is incorrect because ~/.bashrc is sourced, not executed, so its execute bit is irrelevant and changing it does not affect PATH inheritance.
6. Question 6Operation of Running Systems

   On a system that uses access control for cron, a username appears in /etc/cron.deny but /etc/cron.allow does not exist. Can that user run 'crontab -e'?

   • ANo, because when only cron.deny exists, users listed in it are blocked from using crontabCorrect
   • BYes, because cron.deny is ignored unless cron.allow also exists
   • CNo, because the absence of cron.allow blocks all non-root users regardless of cron.deny
   • DYes, because cron.deny only restricts the at command, not crontab
   ✓ Correct answer: A

   No, because when only cron.deny exists, users listed in it are blocked from using crontab.

   Why the other options are wrong

   • Bcron access is governed by /etc/cron.allow and /etc/cron.deny: if cron.allow exists, only users listed there may use crontab and cron.deny is ignored; if cron.allow does not exist but cron.deny does, then every user except those named in cron.deny may use crontab. Therefore a user named in cron.deny (with no cron.allow present) is denied access to crontab -e. The root user is always permitted regardless of these files. Yes, because cron.deny is ignored unless cron.allow also exists is incorrect because cron.deny is the active control precisely when cron.allow is absent.
   • CNo, because the absence of cron.allow blocks all non-root users regardless of cron.deny is incorrect because when cron.allow is absent the default is to allow everyone not in cron.deny, not to block everyone.
   • DYes, because cron.deny only restricts the at command, not crontab is incorrect because cron.deny governs crontab; at uses a separate pair of files, /etc/at.allow and /etc/at.deny.
7. Question 7User and Group Management

   User 'leo' is a supplementary member of the group 'printers'. You must remove only that membership using gpasswd, leaving his other groups intact. Which command is correct?

   • Agpasswd -d leo printersCorrect
   • Bgpasswd -r leo printers
   • Cgpasswd --delete printers leo
   • Dgroupdel -d leo printers
   ✓ Correct answer: A

   The gpasswd -d <user> <group> form deletes a single user from a group's member list, editing only the printers entry in /etc/group while leaving every other group membership untouched. This is the surgical way to revoke one supplementary group without the risk of usermod -G accidentally replacing the whole list. The syntax is the -d option, then the user, then the group.

   Why the other options are wrong

   • Bgpasswd -r leo printers is incorrect because -r REMOVES the group password (so members can join with newgrp without a password) rather than removing a member.
   • Cgpasswd --delete printers leo is incorrect because the operands are reversed; the user name must come before the group name.
   • Dgroupdel -d leo printers is incorrect because groupdel deletes an entire group and accepts no -d member argument.
8. Question 8User and Group Management

   You want to test whether a single proposed sudoers rule is syntactically valid by piping it to the validator without touching any real file. Which command checks sudoers syntax read from standard input?

   • Avisudo -cf -Correct
   • Bsudo -c -
   • Cvisudo --test
   • Dsudo --check-stdin
   ✓ Correct answer: A

   The -c option puts visudo in check-only mode and -f names the file to parse; using '-' as the file name tells visudo to read the candidate sudoers content from standard input. This lets you pipe a proposed rule (for example via 'echo "user ALL=(ALL) ALL" | visudo -cf -') and see immediately whether it parses, without modifying /etc/sudoers or any drop-in. The exit status reflects validity, making it ideal for scripted policy checks.

   Why the other options are wrong

   • Bsudo -c - is incorrect because sudo has no -c syntax-check option; -c relates to selecting a login class on some systems and does not validate sudoers.
   • Cvisudo --test is incorrect because there is no --test long option; the documented check option is -c (--check).
   • Dsudo --check-stdin is incorrect because no such option exists; sudoers validation is performed by visudo, not by the sudo command itself.
9. Question 9Networking

   Which dig option set returns the address record for example.com while suppressing everything except the answer section, useful for a clean human-readable view that still shows the record fields?

   • Adig example.com +noall +answerCorrect
   • Bdig example.com +short +trace
   • Cdig example.com +nostats
   • Ddig example.com +multiline +additional
   ✓ Correct answer: A

   '+noall' turns off display of all output sections, and '+answer' re-enables only the answer section, so the result is just the answer resource records with their name, TTL, class, type, and data fields intact. This is the canonical combination for a tidy yet field-complete view, distinct from '+short' which strips the fields down to bare values. The two options are commonly used together.

   Why the other options are wrong

   • Bdig example.com +short +trace is incorrect because '+trace' performs iterative delegation tracing and '+short' shrinks output to bare values, which is not a clean single answer section.
   • Cdig example.com +nostats is incorrect because it only hides the footer statistics while leaving the verbose header, question, and authority sections visible.
   • Ddig example.com +multiline +additional is incorrect because it expands records onto multiple lines and adds the additional section, increasing rather than suppressing output.
10. Question 10Storage Management

    On an MBR disk you already have three primary partitions and now need additional partitions. What must you create so that you can define logical partitions beyond the four-primary limit?

    • AAn extended partition, which acts as a container in which logical partitions are definedCorrect
    • BA GPT protective partition that overrides the MBR limit
    • CA second MBR in the last sector of the disk
    • DA swap partition, which automatically permits unlimited additional partitions
    ✓ Correct answer: A

    The MBR scheme allows at most four primary partition entries. To exceed that, one primary slot is used to create an extended partition, which is a container whose space is then subdivided into logical partitions (numbered 5 and up on Linux). This is how MBR disks accommodate more than four usable partitions. fdisk offers 'n' then a prompt to choose primary or extended for this purpose.

    Why the other options are wrong

    • BA GPT protective partition that overrides the MBR limit is incorrect because the protective MBR exists on GPT disks to prevent legacy tools from misreading them; it does not add logical partitions to an MBR disk.
    • CA second MBR in the last sector of the disk is incorrect because the MBR resides only in the first sector and there is no secondary MBR concept.
    • DA swap partition, which automatically permits unlimited additional partitions is incorrect because a swap partition is just an ordinary partition type and grants no special partitioning ability.

Linux Foundation Certified System Administrator (LFCS) practice exam FAQ