Chapter 7: Control Access to Files
Welcome to Chapter 7 of my RH124 course blog! In this chapter, I'll be sharing my hands-on experience with controlling access to files in Linux. I'll walk you through how I tackled each lab task, from listing file system permissions to interpreting their effects on user and group access. I'll also share my command-line tools for changing permissions and ownership, as well as my insights on special permissions and setting default permissions for user-created files. Join me as I share my journey and problem-solving approach in mastering file access control in Linux.
Question 1: Log in to serverb
as the student
user. Run the sudo -i
command at the shell prompt to become the root
user. Use student
as the student
user password.
Solution:
To solve this task, I used the ssh student@serverb
command to log in to serverb
as the student user. Once logged in, I then ran the sudo -i
command at the shell prompt to switch to the root user, which prompted me to enter the student user password for authentication. This allowed me to gain root access and perform administrative tasks on the server. It's important to always use sudo carefully and with proper authorization to ensure system security.
Question 2: Create a /home/techdocs
directory.
Solution:
To create the /home/techdocs
directory, I used the mkdir /home/techdocs
command. The mkdir
command is used to create a directory in Linux. Alternatively, I could also use the mkdir -p /home/techdocs
command, where the -p
option would ensure that the entire directory path is created if it does not exist. This would allow me to create the /home/techdocs
directory and any necessary parent directories in a single command, making it more efficient and convenient.
Question 3: Change the group ownership of the /home/techdocs
directory to the techdocs
group.
Solution:
To change the group ownership of the /home/techdocs
directory to the techdocs group, I used the 'chown :techdocs /home/techdocs
command. The chown
command is used to change ownership in Linux, and the :
before the group name specifies that I want to change the group ownership. This allowed me to set the techdocs
group as the new group owner for the /home/techdocs
directory, ensuring that users in the techdocs
group have appropriate access and permissions.
Question 4: Verify that users in the techdocs
group cannot create files in the /home/techdocs
directory.
Solution:
To verify this, I switched to another user, tech1
, who is a member of the techdocs
group, and attempted to create a file using the touch
command. However, I received an error message indicating that I did not have permission to create the file. Alternatively, I could also use the ls -ld /home/techdocs
command to obtain a long listing of the directory, which would show the group permissions. By observing that the techdocs group does not have write permission, I can confirm that users in the techdocs group cannot create files in the /home/techdocs
directory.
Question 5: Set permissions on the /home/techdocs
directory. On the /home/techdocs
directory, configure setgid
(2); read, write, and execute permissions (7) for the owner/user and group; and no permissions (0) for other users.
Solution:
To set the permissions as specified, I used the chmod
command with the octal method: chmod 2770 /home/techdocs
. The 2
at the beginning is used to configure setgid
, which sets the group ownership of newly created files to the same group as the directory. The first 7
sets read, write, and execute permissions for the owner/user, the second '7
sets the same permissions for the group, and the 0
sets no permissions for other users who are not the owner or members of the group. This ensures that only the owner/user and the group have full access to the directory, while others have no access.
Question 6:
- Verify that the permissions are set properly.
- The
techdocs
group now has write permission.
Solution:
To verify the permissions, I used the ls -ld /home/techdocs
command to do a long listing of the techdocs directory. This provided information about the permissions of the directory. Upon inspection, I confirmed that the owner/user and the owning group have full permissions (read, write, and execute), while others have no permissions (0). This is in accordance with the set permissions specified in the previous task. As a result, the techdocs
group now has write permission, allowing members of the group to create, modify, and delete files within the directory.
Question 7: Confirm that users in the techdocs
group can now create and edit files in the /home/techdocs
directory. Users that are not in the techdocs
group cannot edit or create files in the /home/techdocs
directory. The tech1
and tech2
users are in the techdocs
group. The database1
user is not in that group.
Solution:
To confirm the permissions, I used the su -
command followed by the usernames tech1
, tech2
, and database1
to switch to each of these user accounts. Then, I tried to create a file in the /home/techdocs
directory using the touch
command. I observed that tech1
and tech2
, who are members of the techdocs
group, were able to create and edit files in the directory without any issues. However, database1
, who is not a member of the techdocs
group, received an error message indicating that they do not have permission to create or edit files in the directory. This confirms that users in the techdocs
group can now create and edit files in the /home/techdocs
directory, while users not in the group do not have such permissions.
Question 8: Modify the /etc/login.defs
file to adjust the default umask for login shells. Normal users should have a umask
setting that allows the user and group to create, write and execute files and directories, while preventing other users from viewing, modifying, or executing new files and directories.
Solution:
To modify the /etc/login.defs
file to adjust the default umask
for login shells, follow these steps:
- Determine the umask of the student user by logging in as the student user and running the
umask
command. Note down the current umask value, which in this case is 022. - Switch to the student login shell using the
ssh student@serverb
command, providing the student user's password when prompted. - Once inside the student login shell, edit the
/etc/login.defs
file using a text editor of your choice, such as nano or vim. I use vim. - Search the file for the
umask
definition. It may be listed asUMASK
orUSERGROUPS_ENAB
. Update theumask
value with the appropriate value, in this case 007, which allows the user and group to create, write, and execute files and directories, while preventing others from viewing, modifying, or executing new files and directories. - Save and exit the file.
- Exit from the student login shell using the
exit
command. - As the student user, verify that the global
umask
has changed to 007 by running theumask
command again. The output should now show the updatedumask
value.
Note: Modifying system files, such as /etc/login.defs
, requires administrative privileges. Make sure to have appropriate permissions or use sudo
or root
access to edit the file.
Conclusion
I have covered various tasks related to file permissions and ownership in this chapter. I learned how to create directories, change ownership and group, set permissions using the octal method, and modify default umask settings. By implementing these tasks, I have successfully configured permissions to allow or restrict access to files and directories based on ownership and group membership. It is important to understand and implement proper file permissions and ownership in order to maintain security and control access to sensitive data. Regularly reviewing and updating file permissions is essential to ensure that only authorized users have appropriate access levels. I hope you found this chapter informative and useful. Feel free to engage with me if you have any questions or need further clarification.