RH134 - ch04s05

Bookmark this page

Lab: Controlling Access to Files with ACLs

Performance Checklist

In this lab, you will set up a collaborative directory for users in two groups, combining the set-GID permission and default ACL entries to provide correct access permissions.

Outcomes

You should be able to:

Configure set-GID permission on a folder, to inherit group ownership on files and folders inside.
Configure ACL entries to allow or deny read/write/execute permissions to users and groups on files and directories.
Configure default ACL to get the right ACL and file permissions automatically, on new files and directories.

On workstation, run the lab acl-review start command. This command runs a start script that determines if the serverb machine is reachable on the network. It also creates the users, groups, directories and files used in this exercise.

[student@workstation ~]$ lab acl-review start

A stock finance agency is setting up a collaborative share directory to hold case files, which members of the managers group will have read and write permissions on.

The co-founder of the agency, manager1, has decided that members of the contractors group should also be able to read and write to the share directory. However, manager1 does not trust the contractor3 user (a member of the contractors group), and as such, contractor3 should have access to the directory restricted to read-only.

manager1 has created the users and groups, and has started the process of setting up the share directory, copying in some templates files. Because manager1 has been too busy, it falls to you to finish the job.

Your task is to complete the setup of the share directory. The directory and all of its contents should be owned by the managers group, with the files updated to read and write for the owner and group (managers). Other users should have no permissions. You also need to provide read and write permissions for the contractors group, with the exception of contractor3, who only gets read permissions. Make sure your setup applies to existing and future files.

Important information:

Share directory: /shares/cases on serverb.
The manager1 and manager2 users are members of the managers group.
The contractor1, contractor2, and contractor3 users are members of the contractors group.
Two files exist in the directory: shortlist.txt and backlog.txt.
All five user passwords are redhat.
All changes should occur to the /shares/cases directory and its files; do not adjust the /shares directory.

The cases directory and its contents should belong to the managers group. New files added to the cases directory should automatically belong to the managers group. The user and group owners for the existing files should have read and write permission, and other users should have no permission at all.
Note
Hint: Do not use setfacl.
Log in to serverb as the student user.
[student@workstation ~]$ ssh student@serverb ...output omitted... [student@serverb ~]$
Use the sudo -i command to switch to the root user. The password for the student user is student.
[student@serverb ~]$ sudo -i [sudo] password for student: student [root@serverb ~]#
Use the chgrp command to recursively update group ownership on the directory and its contents.
[root@serverb ~]# chgrp -R managers /shares/cases
Use the chmod command to update the set-GID flag on the directory.
[root@serverb ~]# chmod g+s /shares/cases
Use chmod to update all existing file permissions to rw for owner and group.
[root@serverb ~]# chmod 660 /shares/cases/*
Add ACL entries to the cases directory (and its contents) that allow members of the contractors group to have read/write access on the files and execute permission on the directory. Restrict the contractor3 user to read access on the files and execute permission on the directory.
Use setfacl to recursively update the existing cases directory and its contents. Grant the contractors group read, write, and conditional execute permissions.
[root@serverb ~]# setfacl -Rm g:contractors:rwX /shares/cases
Use setfacl to recursively update the existing cases directory and its contents. Grant the contractor3 user read and conditional execute permissions.
[root@serverb ~]# setfacl -Rm u:contractor3:rX /shares/cases
Add ACL entries that ensure any new files or directories in the cases directory have the correct permissions applied for all authorized users and groups.
Use setfacl to update the default permissions for members of the contractors group. Default permissions are read, write, and execute (needed for proper subdirectory creation and access).
[root@serverb ~]# setfacl -m d:g:contractors:rwx /shares/cases
Use setfacl to update the default permissions for the contractor3 user. Default permissions are read and execute (needed for proper subdirectory access).
[root@serverb ~]# setfacl -m d:u:contractor3:rx /shares/cases

Verify that you have made your ACL and file-system changes correctly.

Use ls and getfacl to review your settings on /shares/cases.

As the student user, use su - user to switch first to manager1 and then to contractor1. Verify that you can write to a file, read from a file, make a directory, and write to a file in the new directory. Use ls to check the new directory permissions and getfacl to review the new directory ACL.

As the student user, use su - contractor3 to switch user. Try writing to a file (it should fail) and try to make a new directory (it should fail). As the contractor3 user, you should be able to read from the shortlist.txt file in the cases directory and you should be able to read from the "test" files written in either of the new directories created by manager1 and contractor1 users.

Note

The set of tests above are some of the tests you could perform to check that access permissions are correct. You should devise appropriate access validation tests for your environment.

As the root user, use ls to check the cases directory and its content. Look for group ownership, directory and file permissions. The "s" in the group file permissions indicates the set-GID flag is set, and the "+" indicates that ACL entries exist. At the end exit from the root user session.
```
[root@serverb ~]# ls -ld /shares/cases
drwxrws---+ 2 root managers 46 Mar 29 00:40 /shares/cases
[root@serverb ~]# ls -l /shares/cases
total 8
-rw-rw----+ 1 root managers 44 Mar 29 00:33 backlog.txt
-rw-rw----+ 1 root managers 46 Mar 29 00:33 shortlist.txt
```

Use getfacl and review its output. Look for the named user and named group entries in both the standard and default ACL.

[root@serverb ~]# getfacl /shares/cases
# file: shares/cases
# owner: root
# group: managers
# flags: -s-
user::rwx
user:contractor3:r-x
group::rwx
group:contractors:rwx
mask::rwx
other::---
default:user::rwx
default:user:contractor3:r-x
default:group::rwx
default:group:contractors:rwx
default:mask::rwx
default:other::---

[root@serverb ~]# exit
logout

Switch to the manager1 user and perform the following operations. Check that you get the expected access behavior.

[student@serverb ~]$ su - manager1
Password: redhat
[manager1@serverb ~]$ cd /shares/cases
[manager1@serverb cases]$ echo hello > manager1.txt
[manager1@serverb cases]$ cat shortlist.txt
###Shortlist of Clients to call###TEMPLATE###
[manager1@serverb cases]$ mkdir manager1.dir
[manager1@serverb cases]$ echo hello > manager1.dir/test.txt
[manager1@serverb cases]$ ls -ld manager1.dir
drwxrws---+ 2 manager1 managers 22 Mar 29 00:59 manager1.dir
[manager1@serverb cases]$ ls -l manager1.dir
total 4
-rw-rw----+ 1 manager1 managers 6 Mar 29 00:59 test.txt
[manager1@serverb cases]$ getfacl manager1.dir
# file: manager1.dir/
# owner: manager1
# group: managers
# flags: -s-
user::rwx
user:contractor3:r-x
group::rwx
group:contractors:rwx
mask::rwx
other::---
default:user::rwx
default:user:contractor3:r-x
default:group::rwx
default:group:contractors:rwx
default:mask::rwx
default:other::---

[manager1@serverb cases]$ exit
logout

Switch to the contractor1 user and perform the following operations. Check that you get the expected access behavior.

[student@serverb ~]$ su - contractor1
Password: redhat
[contractor1@serverb ~]$ cd /shares/cases
[contractor1@serverb cases]$ echo hello > manager1.txt
[contractor1@serverb cases]$ cat shortlist.txt
###Shortlist of Clients to call###TEMPLATE###
[contractor1@serverb cases]$ mkdir contractor1.dir
[contractor1@serverb cases]$ echo hello > contractor1.dir/test.txt
[contractor1@serverb cases]$ ls -ld contractor1.dir
drwxrws---+ 2 contractor1 managers 22 Mar 29 01:05 contractor1.dir
[contractor1@serverb cases]$ ls -l contractor1.dir
total 4
-rw-rw----+ 1 contractor1 managers 6 Mar 29 01:07 test.txt
[manager1@serverb cases]$ getfacl contractor1.dir
# file: contractor1.dir/
# owner: contractor1
# group: managers
# flags: -s-
user::rwx
user:contractor3:r-x
group::rwx
group:contractors:rwx
mask::rwx
other::---
default:user::rwx
default:user:contractor3:r-x
default:group::rwx
default:group:contractors:rwx
default:mask::rwx
default:other::---

[contractor1@serverb cases]$ exit
logout

Switch to the contractor3 user, and perform the following operations. Check that you get the expected access behavior.

[student@serverb ~]# su - contractor3
Password: redhat
[contractor3@serverb ~]# cd /shares/cases
[contractor3@serverb cases]# echo hello > contractor3.txt
-bash: contractor3.txt: Permission denied
[contractor3@serverb cases]# cat shortlist.txt
###Shortlist of Clients to call###TEMPLATE###
[contractor3@serverb cases]# mkdir contractor3.dir
mkdir: cannot create directory ‘contractor3.dir’: Permission denied
[contractor3@serverb cases]# cat manager1.dir/test.txt
hello
[contractor3@serverb cases]# cat contractor1.dir/test.txt
hello
[contractor3@serverb cases]# exit
logout
[student@serverb ~]#

Log off from serverb

[student@serverb ~]# exit
logout
Connection to serverb closed.
[student@workstation ~]$

Evaluation

On workstation, run the lab acl-review grade command to confirm success of this exercise.

[student@workstation ~]$ lab acl-review grade

Finish

On workstation, run the lab acl-review finish command to complete this exercise.

[student@workstation ~]$ lab acl-review finish

This concludes the lab.

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-8.2-f0a9756