-
Notifications
You must be signed in to change notification settings - Fork 63
/
Copy pathacls
171 lines (89 loc) · 3.16 KB
/
acls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
1. Create a second user on the system called "starbuck". Open a second terminal window into the
lab server connected as the user starbuck. Ensure you're working as a priviledged user
(sudo) or root user while perofrming the lab. The starbuck user will be used to test setting the permissions.
[root@localhost ~]# useradd starbuck; passwd starbuck
Changing password for user starbuck.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
2. Navigate into the /tmp directory and create two new directories named dir1 and dir2 and
two files called file1 and file2.
[root@localhost tmp]# mkdir {dir1,dir2}; touch {file1,file2}
3. Idenity if any of the files currently have extended access control lists associated with them.
[root@localhost tmp]# ls -l
total 0
drwxr-xr-x. 2 root root 6 May 5 20:00 dir1
drwxr-xr-x. 2 root root 6 May 5 20:00 dir2
-rw-r--r--. 1 root root 0 May 5 20:00 file1
-rw-r--r--. 1 root root 0 May 5 20:00 file2
Note: The files have base ACLs but do not have extended ACLs. We know they do not have extended
ACLs because of no + at the end of the permissions listed.
4. Set an ACL for the starbuck user to read and write for file1
[root@localhost tmp]# setfacl -m u:starbuck:rw file1
[root@localhost tmp]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:starbuck:rw-
group::r--
mask::rw-
other::r--
5. Set the mask on the file1 to read only, then as the starbuck user in your second terminal,
attempt to execute the following command echo "test" > /tmp/file1. Explain why this did not work.
[root@localhost tmp]# setfacl -m m::r file1
[root@localhost tmp]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:starbuck:rw- #effective:r--
group::r--
mask::r--
other::r--
Starbuck's Terminal
[starbuck@localhost tmp]$ echo "test "> /tmp/file1
-bash: /tmp/file1: Permission denied
Summary: Starbuck was unable to write to file1 even though starbuck had an ACL with rw the mask
was setting the "maximum" permissions to r and was masking w.
6. Set the default permissions on dir1 to read write and execute for the starbuck user
(execute ONLY if it is a directory).
[root@localhost tmp]# setfacl -d -m u:starbuck:rwX dir1
[root@localhost tmp]# getfacl dir1
# file: dir1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:starbuck:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
7. Using setfacl change the "other" permissions to none on file1
[root@localhost tmp]# setfacl -m o::- file1
[root@localhost tmp]# ls -l
total 8
drwxr-xr-x+ 2 root root 6 May 5 20:00 dir1
drwxr-xr-x. 2 root root 6 May 5 20:00 dir2
-rw-rw----+ 1 root root 0 May 5 20:00 file1
-rw-r--r--. 1 root root 0 May 5 20:00 file2
8. Remove the default permissions from dir1
[root@localhost tmp]# setfacl --remove-default dir1
[root@localhost tmp]# getfacl dir1
# file: dir1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
9. Remove all ACLs on file1
[root@localhost tmp]# setfacl --remove-all file1
[root@localhost tmp]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
group::r--
other::---