ACL (access control list)

Access control lists are the advanced file permissions. By using the ACL we can assign the user to access or deny accessing a file or a directory.
For this at first we should modify the 'fstab' entry for '/' filesystem as follows.

# vi /etc/fstab

LABEL=/ / ext3 defaults,acl 1 1

:x (save and exit)

We should remount the '/' filesystem to take effect.

# mount -o remount,rw /

Create a file and a directory and set permissions as of your choice.

To display the permissions as of your choice.
# getfacl /root/test/acltest.txt

To set read and execute permissions on the file.
# setfacl -m u:<username>:r-x /root/test/acltest.txt

To remove the ACL on the file.
# setfacl -x u:<username> /root/test/acltest.txt

User Administration & ACL Practice:

Questions 1 | USER'S GROUPS AND PERMISSION:

Create a group named "sysadmin" .A user sarah and natasha should belongs to "manager" group as a secondary group . A user steve should not have access to interactive shell and he should not be a member of "manager" group. passwd for all user created should be "password".

Answers |
# groupadd sysadmin
# groupadd manager
# useradd -g manager sarah
# useradd -g manager natasha
# useradd -s /sbin/nologin steve
# echo password | passwd --stdin sarah
# echo password | passwd --stdin natasha
# echo password | passwd --stdin steve

Questions 2 | Implement Access Control List
Implement acl feature on /var filesystem
copy /etc/fstab to /var/tmp/fstab
Owner and group owner of the file created should be retained by root user
Others should have read permission on the file
harry should have neither read nor write access to the file
simon should should have read and write access to the file
user dax & natasha should not have any access.

Answers |
# copy -prv /etc/fstab /var/tmp/fstab
# chown root.root /var/tmp/fstab
# chmod 775 /var/tmp/fstab
# setfacl -m u:harry:--x /var/tmp/fstab
# setfacl -m u:simon:rw- /var/tmp/fstab
# setfacl -m u:dax:--- /var/tmp/fstab
# setfacl -m u:natasha:--- /var/tmp/fstab

Questions 3 | Create users, groups and group members:
To set up different departments in your company setup the following user accounts:

A. Add users joshua, dax, alex, bryan, steve and joy to your system with their
respective passwords as "password".

B. Add the user alex and bryan to the sales group with gid 10000 and steve and joy to hr group with gid 10001and joshua and dax to the web group with gid 10002.

C. Each group should get their respective directory as sales, hr and web under the /data directory such that files created under these directories will be owned by the respective group created by their group members and will prevent to corrupt each other files.

Group GID Directory Users
sales 10000 /data/sales alex,bryan
hr 10001 /data/hr steve,joy
web 10002 /data/web joshua,dax

Answers |
# groupadd -g 10000 sales
# groupadd -g 10001 hr
# groupadd -g 10002 web
# mkdir -p /data/sales
# mkdir -p /data/hr
# mkdir -p /data/web
# chmod 1755 /data
# chgrp sales /data/sales
# chgrp hr /data/hr
# chgrp web /data/web
# useradd -g sales -d /data/sales alex
# useradd -g sales -d /data/sales bryan
# useradd -g hr -d /data/hr steve
# useradd -g hr -d /data/hr joy
# useradd -g web -d /data/web joshua
# useradd -g web -d /data/web dax

Questions 4 | DIRECTORY COLLABORATION:

Create the Directory "/home/manager" with the following characteristics. Group ownership of "/home/manager" should go to "manager" group. The directory should be have full permission for all members off "manager" group but not to any other users accept "root". Files created under "/home/manager" should get the same group ownership is set to the "manager"

Answers |
# groupadd manager
# mkdir /home/manager
# chgrp manager /home/manager
# chmod 770 /home.manager
# setfacl -m u:root:rwx /home/manager
# setfacl -m g:manager:rwx /manager
- See more at: http://www.linuxforfreshers.com/2014/07/acl.html#sthash.msu8fWLp.dpuf

1 comment:

  1. Hello, I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. Wish you best of luck for all your best efforts.Regards aws jobs in hyderabad

    ReplyDelete