RH134 - ch04s04

Bookmark this page

Guided Exercise: Securing Files with ACLs

In this exercise, you will use ACL entries to grant access to a directory for a group and deny access for a user, set the default ACL on a directory, and confirm that new files created in that directory inherit the default ACL.

Outcomes

You should be able to:

Use ACL entries to grant access to a group, and deny access to one of its members.
Verify that the existing files and directories reflect the new ACL permissions.
Set the default ACL on a directory, and confirm that new files and directories inherit its configuration.

On workstation, run the lab acl-secure start command. This command runs a start script that determines if the servera machine is reachable on the network. It also creates the users, groups, directories, and files used in this exercise.

[student@workstation ~]$ lab acl-secure start

Operators and Consultants are members of an IT support company. They need to start sharing information. servera contains a properly configured share directory located at /shares/content that hosts files.

Currently, only members of the operators group have access to this directory, but members of the consultants group need full access to this directory.

The consultant1 user is a member of the consultants group but has caused problems on many occasions, so this user should not have access to the directory.

Your task is to add appropriate ACL entries to the directory and its contents so that members of the consultants group have full access, but deny the consultant1 user any access. Make sure that future files and directories stored in /shares/content get appropriate ACL entries applied.

Important information:

The sysadmin1 and operator1 users are members of the operators group.
The consultant1 and consultant2 users are members of the consultants group.
The /shares/content directory contains a subdirectory called server-info and numerous files to test the ACL. Also, the /shares/content directory contains an executable script called loadvg.sh that you can use for testing.
The sysadmin1, operator1, consultant1, and consultant2 users have their passwords set to redhat.
All changes should occur to the /shares/content directory and its files; do not adjust the /shares directory.

Log in to servera and switch to the root user.
1. Use the ssh command to log in to servera as the student user. The systems are configured to use SSH keys for authentication, therefore a password is not required.
```
[student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$ 
```
2. Use the sudo -i command to switch to the root user. The password for the student user is student.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]# 
```
Add the named ACL to the /shares/content directory and all of its content.
1. Use setfacl to recursively update the /shares/content directory, granting the consultants group read, write, and conditional execute permissions.
```
[root@servera ~]# setfacl -Rm g:consultants:rwX /shares/content
```
  The -R option means recursive, the -m option means modify/add, rwX means apply read, write, and conditional execute permissions.
2. Use setfacl to recursively update the /shares/content directory, denying the consultant1 user from the consultants group any access.
```
[root@servera ~]# setfacl -Rm u:consultant1:- /shares/content
```
  The -R option means recursive, the -m option means modify/add, - means give no access.
Add the named ACL as the default ACL to support future file and directory additions.
1. Use setfacl to add a default access rule for the consultants group. Grant read, write, and execute permissions on the content directory.
```
[root@servera ~]# setfacl -m d:g:consultants:rwx /shares/content
```
  The -m options means modify/add, d:g means default group, rwx means apply read/write/execute permissions (needed for proper subdirectory creation and access)
2. Use setfacl to add a default access rule for the consultant1 user. Deny all access to the content directory.
```
[root@servera ~]# setfacl -m d:u:consultant1:- /shares/content
```
  The -m option means modify/add, d:u means default user, - means no permissions

Verify your ACL changes.

consultant2 should be able to read any file and create a new directory with a new file in it.

consultant1 should not be able to read, write, or execute any file; this includes being unable to list the directory contents.

Use su - user to switch to your test users. Use exit or Ctrl+D to leave the test user shell.

[root@servera ~]# exit
[student@servera ~]$ su - consultant2
Password: redhat
[consultant2@servera ~]$ cd /shares/content/

Use cat to check that consultant2 can read a file.

[consultant2@servera content]$ cat serverb-loadavg.txt
#################################################
serverb.lab.example.com
#################################################
Wed Mar 25 15:25:19 EDT 2019
#################################################
ldavg 0.18, 0.06, 0.05
#################################################

Use the loadavg.sh script to check that consultant2 can execute a file.

[consultant2@servera content]$ ./loadavg.sh
ldavg 0.00, 0.00, 0.04

Create a directory called reports.

Use echo to create a file with some content, name the file test.txt, and place it in the new directory.

Switch back to student when you are finished.

[consultant2@servera content]$ mkdir reports
[consultant2@servera content]$ echo "TEST REPORT" > reports/test.txt
[consultant2@servera content]$ exit
logout
[student@servera ~]$

Log in as the consultant1 user. Use cd to try and change into the directory as consultant1, and also try ls to list the directory. Both commands should fail with Permission denied.
Try one or more of the commands that consultant2 used, but as consultant1, to further verify the lack of access. Use the full path, /shares/content, because you cannot use cd to change into the directory.
Switch back to student when you are finished testing consultant1.
```
[student@servera ~]$ su - consultant1
Password: redhat
[consultant1@servera ~]$ cd /shares/content/
-bash: cd: /shares/content/: Permission denied
[consultant1@servera ~]$ ls /shares/content/
ls: cannot open directory '/shares/content/': Permission denied
[consultant1@servera ~]$ cat /shares/content/serverb-loadavg.txt
cat: /shares/content/serverb-loadavg.txt: Permission denied
[consultant1@servera ~]$ exit
logout
[student@servera ~]$ 
```

Log in as the sysadmin1 user. Use getfacl to see all the ACL entries on /shares/content and the ACL entries on /shares/content/reports.

Switch back to student when you are finished testing consultant1.

[student@servera ~]$ su - sysadmin1
Password: redhat
[sysadmin1@servera ~]$ getfacl /shares/content
getfacl: Removing leading '/' from absolute path names
# file: shares/content/
# owner: root
# group: operators
# flags: -s-
user::rwx
user:consultant1:---
group::rwx
group:consultants:rwx
mask::rwx
other::---
default:user::rwx
default:user:consultant1:---
default:group::rwx
default:group:consultants:rwx
default:mask::rwx
default:other::---

[sysadmin1@servera ~]$ getfacl /shares/content/reports
getfacl: Removing leading '/' from absolute path names
# file: shares/content/reports
# owner: consultant2
# group: operators
# flags: -s-
user::rwx
user:consultant1:---
group::rwx
group:consultants:rwx
mask::rwx
other::---
default:user::rwx
default:user:consultant1:---
default:group::rwx
default:group:consultants:rwx
default:mask::rwx
default:other::---

[sysadmin1@servera ~]$ exit
logout
[student@servera ~]$

Log off from servera.

[student@servera ~]$ exit
logout
Connection to servera closed.
[student@workstation ~]$

Finish

On workstation, run the lab acl-secure finish script to complete this exercise.

[student@workstation ~]$ lab acl-secure finish

This concludes the guided exercise.

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-8.2-f0a9756