How to apply ACL in linux

Access control lists are the advanced file permissions. By using the ACL we can assign the user to access or deny accessing a file or a directory.

Create a file and a directory and set permissions as of your choice.

To display the permissions as of your choice.

# getfacl /root/test/acltest.txt

To set read and execute permissions on the file.

# setfacl -m u:<username>:r-x /root/test/acltest.txt

To remove the ACL on the file.

# setfacl -x u:<username> /root/test/acltest.txt

User Administration & ACL Practice:


Create a group named "sysadmin" .A user sarah and natasha should belongs to "manager" group as a secondary group . A user steve should not have access to interactive shell and he should not be a member of "manager" group. passwd for all user created should be "password".

Answers |

# groupadd sysadmin

# groupadd manager

# useradd -g manager sarah

# useradd -g manager natasha

# useradd -s /sbin/nologin steve

# echo password | passwd --stdin sarah

# echo password | passwd --stdin natasha

# echo password | passwd --stdin steve

Questions 2 | Implement Access Control List

Implement acl feature on /var filesystem

copy /etc/fstab to /var/tmp/fstab

Owner and group owner of the file created should be retained by root user

Others should have read permission on the file

harry should have neither read nor write access to the file

simon should should have read and write access to the file

user dax & natasha should not have any access.

Answers |

# copy -prv /etc/fstab /var/tmp/fstab

# chown root.root /var/tmp/fstab

# chmod 775 /var/tmp/fstab

# setfacl -m u:harry:--x /var/tmp/fstab

# setfacl -m u:simon:rw- /var/tmp/fstab

# setfacl -m u:dax:--- /var/tmp/fstab

# setfacl -m u:natasha:--- /var/tmp/fstab

Questions 3 | Create users, groups and group members:

To set up different departments in your company setup the following user accounts:

A. Add users joshua, dax, alex, bryan, steve and joy to your system with their
respective passwords as "password".

B. Add the user alex and bryan to the sales group with gid 10000 and steve and joy to hr group with gid 10001and joshua and dax to the web group with gid 10002.

C. Each group should get their respective directory as sales, hr and web under the /data directory such that files created under these directories will be owned by the respective group created by their group members and will prevent to corrupt each other files.

Group GID Directory Users

sales 10000 /data/sales alex,bryan

hr 10001 /data/hr steve,joy

web 10002 /data/web joshua,dax

Answers |

# groupadd -g 10000 sales

# groupadd -g 10001 hr

# groupadd -g 10002 web

# mkdir -p /data/sales

# mkdir -p /data/hr

# mkdir -p /data/web

# chmod 1755 /data

# chgrp sales /data/sales

# chgrp hr /data/hr

# chgrp web /data/web

# useradd -g sales -d /data/sales alex

# useradd -g sales -d /data/sales bryan

# useradd -g hr -d /data/hr steve

# useradd -g hr -d /data/hr joy

# useradd -g web -d /data/web joshua

# useradd -g web -d /data/web dax


Create the Directory "/home/manager" with the following characteristics. Group ownership of "/home/manager" should go to "manager" group. The directory should be have full permission for all members off "manager" group but not to any other users accept "root". Files created under "/home/manager" should get the same group ownership is set to the "manager"

Answers |

# groupadd manager

# mkdir /home/manager

# chgrp manager /home/manager

# chmod 770 /home.manager

# setfacl -m u:root:rwx /home/manager

# setfacl -m g:manager:rwx /manager

No comments:

Post a Comment