RH134 - ch06s05

Bookmark this page

Lab: Controlling Access to Files with Access Control Lists (ACLs)

In this lab, you will update a collaborative directory to have the correct group ownership and permissions. You will add ACLs to allow another group to have appropriate permissions, while limiting permissions for a specific user.

Resources:
Files:	`/shares/cases/*`
Machines:	serverX

Outcomes:

Members of the bakerstreet group will have correct access permissions to the cases directory.
Members of the scotlandyard group will have read/write access to the cases directory, except user jones, who only has read access. All members of the scotlandyard group should have execute on the directory.
New files and directories will automatically get the correct group ownership, ACL, and file permissions.

Reset your serverX system (see note).
Log into and set up your server system (see note).
```
[student@serverX ~]$ lab acl setup
```
Open a terminal.
Switch to root using sudo -i.

Note

If you reset your server for the "Using ACLs to Grant and Limit Access" practice exercise and you have not tampered with the /shares/cases directory, then you do NOT need to reset the server or rerun the lab setup for this lab.

The Baker Street detective agency is setting up a collaborative share directory to hold case files, which members of the bakerstreet group will have read and write permissions on.

The lead detective, Sherlock Holmes, has decided that members of the scotlandyard group should also be able to read and write to the share directory. However, Holmes does not trust Inspector Peter Jones (a member of the scotlandyard group), and as such, Jones should have his access to the directory restricted to read-only.

Mrs. Hudson has created the user groups and has started the process of setting up the share directory, copying in some of the more recent case files. Since Sherlock would rather play his violin, it falls to you to finish the job.

Your task is to complete the setup of the share directory. The directory and all of its contents should be owned by the bakerstreet group, with the files updated to read and write for the owner and group (bakerstreet). Other users should have no permissions. You also need to provide read and write permissions for the scotlandyard group, with the exception of jones, who only gets read permissions. Make sure your setup applies to existing and future files.

Important information:

Share directory: /shares/cases
bakerstreet group: holmes, watson
scotlandyard group: lestrade, gregson, jones
Two files exist in the directory: adventures.txt and moriarty.txt.
All five user passwords are redhat.
All changes should occur to directory cases and its files; do not adjust the shares directory.

When you are done, run the command lab acl grade from your machine to verify your work.

The cases directory and its content should belong to group bakerstreet. New files added in the cases directory should automatically belong to the group bakerstreet. Existing files should be set to rw for user and group. (Hint: do not use setfacl.)
Use chgrp to recursively update group ownership on the directory and its contents.
[root@serverX ~]# chgrp -R bakerstreet /shares/cases
Use chmod to update the setgid flag on the directory.
[root@serverX ~]# chmod g+s /shares/cases
Use chmod to update all existing file permissions to rw for owner and group.
[root@serverX ~]# chmod 660 /shares/cases/*
Add ACLs to the cases directory (and its contents) that allow members of the scotlandyard group to have read/write access on the files and execute on the directory. Restrict user jones to read access on the files and execute on the directory.
Use setfacl to recursively update the existing cases directory and its content. Grant the group scotlandyard read, write, and conditional execute permissions.
[root@serverX ~]# setfacl -Rm g:scotlandyard:rwX /shares/cases
Use setfacl to recursively update the existing cases directory and its content. Grant the user jones read and conditional execute permissions.
[root@serverX ~]# setfacl -Rm u:jones:rX /shares/cases
Add ACLs that ensure any new file or directory in the cases directory have the correct permissions applied for ALL authorized users and groups.
Use setfacl to update the default permissions for members of the scotlandyard group. Default permissions are read, write, and execute (needed for proper subdirectory creation and access).
[root@serverX ~]# setfacl -m d:g:scotlandyard:rwx /shares/cases
Use setfacl to update the default permissions for scotlandyard user jones. Default permissions are read and execute (needed for proper subdirectory access).
[root@serverX ~]# setfacl -m d:u:jones:rx /shares/cases

Verify that you have made your ACL and file system changes correctly.

Use ls and getfacl to review your settings on /shares/cases.

From student, use sudo -i -u user to switch to both holmes and lestrade. Verify that you can write to a file, read from a file, make a directory, and write to a file in the new directory. Use ls to check the new directory permissions and getfacl to review the new directory ACLs.

From student, use sudo -i -u jones to switch users. Try writing to a file (it should fail) and try to make a new directory (it should fail). As jones, you should be able to read from the adventures.txt file in the cases directory and read from the "test" file written in either of the new directories created by holmes and lestrade.

Note

The set of tests above are some of the tests you could perform to check that access permissions are correct. You should devise appropriate access validation tests for your environment.

Use ls to check the cases directory and its content. Look for group ownership, directory and file permissions, the directory setgid flag, and the "+" indicating ACLs exist.

[root@serverX ~]# ls -ld /shares/cases
drwxrws---+ 2 root bakerstreet 46 Mar 18 06:56 /shares/cases
[root@serverX ~]# ls -l /shares/cases
total 16
-rw-rw----+ 1 root bakerstreet 22 Mar 18 06:56 adventures.txt
-rw-rw----+ 1 root bakerstreet  8 Mar 18 06:56 do_NOT_delete.grading.txt
-rw-rw----+ 1 root bakerstreet 38 Mar 18 06:56 moriarty.txt

Use getfacl and review its output. Look for the named user and named group entries in both the standard and default ACLs.

[root@serverX ~]# getfacl /shares/cases
getfacl: Removing leading '/' from absolute path names
# file: shares/cases
# owner: root
# group: bakerstreet
# flags: -s-
user::rwx
user:jones:r-x
group::rwx
group:scotlandyard:rwx
mask::rwx
other::---
default:user::rwx
default:user:jones:r-x
default:group::rwx
default:group:scotlandyard:rwx
default:mask::rwx
default:other::---

Perform the following operations as holmes. Repeat as lestrade, replacing any reference to holmes in each of the commands. Check that you get the expected access behavior.

[student@serverX ~]$ sudo -i -u holmes
[holmes@serverX ~]$ cd /shares/cases
[holmes@serverX cases]$ echo hello > holmes.txt
[holmes@serverX cases]$ cat adventures.txt
The Adventures of ...
[holmes@serverX cases]$ mkdir holmes.dir
[holmes@serverX cases]$ echo hello > holmes.dir/test.txt
[holmes@serverX cases]$ ls -ld holmes.dir
drwxrws---+ 2 holmes bakerstreet 21 Mar 18 07:35 holmes.dir
[holmes@serverX cases]$ ls -l holmes.dir
total 8
-rw-rw----+ 1 holmes bakerstreet 6 Mar 18 07:39 test.txt
[holmes@serverX cases]$ getfacl holmes.dir
# file: holmes.dir
# owner: holmes
# group: bakerstreet
# flags: -s-
user::rwx
user:jones:r-x
group::rwx
group:scotlandyard:rwx
mask::rwx
other::---
default:user::rwx
default:user:jones:r-x
default:group::rwx
default:group:scotlandyard:rwx
default:mask::rwx
default:other::---

[holmes@serverX cases]$ exit
logout
[student@serverX ~]$

Perform the following operations as jones. Check that you get the expected access behavior.

[student@serverX ~]# sudo -i -u jones
[jones@serverX ~]# cd /shares/cases
[jones@serverX cases]# echo hello > jones.txt
-bash: jones.txt: Permission denied
[jones@serverX cases]# cat adventures.txt
The Adventures of ...
[jones@serverX cases]# mkdir jones.dir
mkdir: cannot create directory ‘jones.dir’: Permission denied
[jones@serverX cases]# cat holmes.dir/test.txt
hello
[jones@serverX cases]# exit
logout
[student@serverX ~]#

When you are done, run the command lab acl grade from your serverX machine to verify your work.
[student@serverX ~]$ lab acl grade

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-7-c643331