RH134 - ch06s04

In this lab, you will add a named group access control list (ACL) and a named user ACL to an existing share folder and its content. You will set up default ACLs to ensure future files and directories get the correct permissions.

Resources:
Files:	`/shares/steamies/*`, `/shares/steamies/display_engines.sh`
Machines:	serverX

Outcomes:

Members of the sodor group will have the same access permissions as the controller group on the steamies directory, except james, who has no access.
Existing files and directories will be updated to reflect the new sodor and james ACL permissions.
New files and directories will automatically get the correct ACL and file permissions.

Reset your serverX system.
Log into and set up your server system.
```
[student@serverX ~]$ lab acl setup
```
Open a terminal.
Switch to root using sudo -i.

Student is a controller for the Sodor Island Rail network. There is a properly configured share directory located at /shares/steamies that hosts files detailing rostering, steam engines, etc.

Currently, only members of the controller group have access to this directory, but it has been decided that members of the sodor group would benefit from full access to this directory.

James, a member of the sodor group, has caused chaos and confusion on many occasions, so he is to be denied access to the directory, at least until he shows that he is a really useful engine.

Your task is to add appropriate ACLs to the directory and its contents, so that members of the sodor group have full access, but deny user james any access. Make sure that future files and directories stored in /shares/steamies get appropriate ACLs applied.

Important information:

controller group: student
sodor group: thomas, james
There is a subdirectory called engines and numerous files to test the ACLs. Also, there is an executable script you can test.
Thomas and James have their passwords set to redhat.
All changes should occur to directory steamies and its files; do not adjust the shares directory.

Add the named ACLs to the steamies directory and all of its content.
1. Use setfacl to recursively update the steamies directory, granting the sodor group read, write, and conditional execute permissions.
```
[root@serverX ~]# setfacl -Rm g:sodor:rwX /shares/steamies
```
  -R recursive, -m modify/add, :rwX read/write/eXecute (but only on directories and existing executables)
2. Use setfacl to recursively update the steamies directory, denying the user james from the sodor group any access.
```
[root@serverX ~]# setfacl -Rm u:james:- /shares/steamies
```
  -R recursive, -m modify/add, :- no permissions
Add the named ACLs as default ACLs to support future file and directory additions.
1. Use setfacl to add a default access rule for the sodor group. Grant read, write, and execute permissions on the steamies directory.
```
[root@serverX ~]# setfacl -m d:g:sodor:rwx /shares/steamies
```
  -m modify/add, d:g default group, :rwx read/write/execute (needed for proper subdirectory creation and access)
2. Use setfacl to add a default access rule for the user james. Deny all access to the steamies directory.
```
[root@serverX ~]# setfacl -m d:u:james:- /shares/steamies
```
  -m modify/add, d:u default user, :- no permissions

Verify your ACL changes.

Thomas should be able to read any file, create a new directory with a new file in it, and execute the display_engines.sh script.

James should not be able to read, write, or execute any file; this includes being unable to list the directory contents.

Use sudo -i -u user to switch to your test users. Use exit or Ctrl+D to leave the test user shell.

[root@serverX ~]# exit
[student@serverX ~]$ sudo -i -u thomas
[thomas@serverX ~]$ cd /shares/steamies/

Use cat to check that Thomas can read a file.

[thomas@serverX steamies]$ cat roster.txt
James - Shunting at Brendam docks
Percy - Overnight mail run
Henry - Flying Kipper run
Thomas - Annie and Clarabel, Knapford line

Use display_engines.sh to check that Thomas can execute a script.

[thomas@serverX steamies]$ ./display_engines.sh
They're two, they're four, they're six, they're eight ...
Edward wants to help and share
...
Toby, well let's say, he's square

Use mkdir to create a directory as Thomas.
Use echo to create a file in the new directory as Thomas.
Switch back to student when you are finished.
```
[thomas@serverX steamies]$ mkdir tidmouth
[thomas@serverX steamies]$ echo "toot toot" > tidmouth/whistle.txt
[thomas@serverX steamies]$ exit
```
Use cd to try and change into the directory as James, and also try ls to list the directory. Both commands should fail with Permission denied.
You could try one or more of the commands Thomas issued, but as James, to further verify his lack of access. Try prefixing each file with the full path, /shares/steamies, because you cannot cd into the directory.
Switch back to student when you are finished testing james.
```
[student@serverX ~]$ sudo -i -u james
[james@serverX ~]$ cd /shares/steamies/
-bash: cd: /shares/steamies/: Permission denied
[james@serverX ~]$ ls /shares/steamies/
ls: cannot open directory /shares/steamies: Permission denied
[james@serverX ~]$ cat /shares/steamies/roster.txt
cat: /shares/steamies/roster.txt: Permission denied
[james@serverX ~]$ exit
```

Use getfacl to see all the ACLs on /shares/steamies and the ACLs on /shares/steamies/tidmouth.

Note

Use newgrp controller to switch student to the controller group.

The lab acl setup script adds controller as a supplementary group to student; however, unless you have restarted the shell prior to this step, then the current shell does not yet recognize the new membership and getfacl on tidmouth will get Permission denied.

[student@serverX ~]$ newgrp controller
[student@serverX ~]$ getfacl /shares/steamies
getfacl: Removing leading '/' from absolute path names
# file: shares/steamies/
# owner: root
# group: controller
# flags: -s-
user::rwx
user:james:---
group::rwx
group:sodor:rwx
mask::rwx
other::---
default:user::rwx
default:user:james:---
default:group::rwx
default:group:sodor:rwx
default:mask::rwx
default:other::---

[student@serverX ~]$ getfacl /shares/steamies/tidmouth
getfacl: Removing leading '/' from absolute path names
# file: shares/steamies/tidmouth
# owner: thomas
# group: controller
# flags: -s-
user::rwx
user:james:---
group::rwx
group:sodor:rwx
mask::rwx
other::---
default:user::rwx
default:user:james:---
default:group::rwx
default:group:sodor:rwx
default:mask::rwx
default:other::---

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-7-c643331