RHCSA Rapid Track

Student is a controller for the Sodor Island Rail network. There is a properly configured share directory located at /shares/steamies that hosts files detailing rostering, steam engines, etc.

Currently, only members of the controller group have access to this directory, but it has been decided that members of the sodor group would benefit from full access to this directory.

James, a member of the sodor group, has caused chaos and confusion on many occasions, so he is to be denied access to the directory, at least until he shows that he is a really useful engine.

Your task is to add appropriate ACLs to the directory and its contents, so that members of the sodor group have full access, but deny user james any access. Make sure that future files and directories stored in /shares/steamies get appropriate ACLs applied.

Important information:

1. Add the named ACLs to the steamies directory and all of its content.

   1. Use setfacl to recursively update the steamies directory, granting the sodor group read, write, and conditional execute permissions.

      [root@serverX ~]# setfacl -Rm g:sodor:rwX /shares/steamies

      -R recursive, -m modify/add, :rwX read/write/eXecute (but only on directories and existing executables)

   2. Use setfacl to recursively update the steamies directory, denying the user james from the sodor group any access.

      [root@serverX ~]# setfacl -Rm u:james:- /shares/steamies

      -R recursive, -m modify/add, :- no permissions

2. Add the named ACLs as default ACLs to support future file and directory additions.

   1. Use setfacl to add a default access rule for the sodor group. Grant read, write, and execute permissions on the steamies directory.

      [root@serverX ~]# setfacl -m d:g:sodor:rwx /shares/steamies

      -m modify/add, d:g default group, :rwx read/write/execute (needed for proper subdirectory creation and access)

   2. Use setfacl to add a default access rule for the user james. Deny all access to the steamies directory.

      [root@serverX ~]# setfacl -m d:u:james:- /shares/steamies

      -m modify/add, d:u default user, :- no permissions

3. Verify your ACL changes.

   Thomas should be able to read any file, create a new directory with a new file in it, and execute the display_engines.sh script.

   James should not be able to read, write, or execute any file; this includes being unable to list the directory contents.

   Use sudo -i -u user to switch to your test users. Use exit or Ctrl+D to leave the test user shell.

   [root@serverX ~]# exit
   [student@serverX ~]$ sudo -i -u thomas
   [thomas@serverX ~]$ cd /shares/steamies/

   1. Use cat to check that Thomas can read a file.

      [thomas@serverX steamies]$ cat roster.txt
      James - Shunting at Brendam docks
      Percy - Overnight mail run
      Henry - Flying Kipper run
      Thomas - Annie and Clarabel, Knapford line

   2. Use display_engines.sh to check that Thomas can execute a script.

      [thomas@serverX steamies]$ ./display_engines.sh
      They're two, they're four, they're six, they're eight ...
      Edward wants to help and share
      ...
      Toby, well let's say, he's square

   3. Use mkdir to create a directory as Thomas.

      Use echo to create a file in the new directory as Thomas.

      Switch back to student when you are finished.

      [thomas@serverX steamies]$ mkdir tidmouth
      [thomas@serverX steamies]$ echo "toot toot" > tidmouth/whistle.txt
      [thomas@serverX steamies]$ exit

   4. Use cd to try and change into the directory as James, and also try ls to list the directory. Both commands should fail with Permission denied.

      You could try one or more of the commands Thomas issued, but as James, to further verify his lack of access. Try prefixing each file with the full path, /shares/steamies, because you cannot cd into the directory.

      Switch back to student when you are finished testing james.

      [student@serverX ~]$ sudo -i -u james
      [james@serverX ~]$ cd /shares/steamies/
      -bash: cd: /shares/steamies/: Permission denied
      [james@serverX ~]$ ls /shares/steamies/
      ls: cannot open directory /shares/steamies: Permission denied
      [james@serverX ~]$ cat /shares/steamies/roster.txt
      cat: /shares/steamies/roster.txt: Permission denied
      [james@serverX ~]$ exit

   5. Use getfacl to see all the ACLs on /shares/steamies and the ACLs on /shares/steamies/tidmouth.

      Note

      Use newgrp controller to switch student to the controller group.

      The lab acl setup script adds controller as a supplementary group to student; however, unless you have restarted the shell prior to this step, then the current shell does not yet recognize the new membership and getfacl on tidmouth will get Permission denied.

      [student@serverX ~]$ newgrp controller
      [student@serverX ~]$ getfacl /shares/steamies
      getfacl: Removing leading '/' from absolute path names
      # file: shares/steamies/
      # owner: root
      # group: controller
      # flags: -s-
      user::rwx
      user:james:---
      group::rwx
      group:sodor:rwx
      mask::rwx
      other::---
      default:user::rwx
      default:user:james:---
      default:group::rwx
      default:group:sodor:rwx
      default:mask::rwx
      default:other::---
      
      [student@serverX ~]$ getfacl /shares/steamies/tidmouth
      getfacl: Removing leading '/' from absolute path names
      # file: shares/steamies/tidmouth
      # owner: thomas
      # group: controller
      # flags: -s-
      user::rwx
      user:james:---
      group::rwx
      group:sodor:rwx
      mask::rwx
      other::---
      default:user::rwx
      default:user:james:---
      default:group::rwx
      default:group:sodor:rwx
      default:mask::rwx
      default:other::---