Task I - Working with Access Control Lists In the following task, you will setup two types of ACLs. The first ACL will grant specail permissions to a group. The second ACL will take away standard permissions from a group. GRANT SPECIAL PERMISSIONS TO A GROUP 1) Create a hypothetical web server directory called /apache. Give it directory permissions of 755, owned by root in the group sys. # mkdir /apache # chmod 755 /apache # chown roots:sys /apache # ls -l /apache drwxr-xr-x 2 root sys 512 Jul 31 19:52 /apache 2) Create a group called web and a user called webmin with web as the user's primary group. # groupadd web # useradd -g web webmin 3) The group "web" consists of web designers, including webmin. These users need write access to the /apache directory. The group "sys" can't change as the primary group for the /apache directory. The only way to grant write access to the "web" group is create and ACL for that group granting them write access. # setfacl -m m:7,g:web:7 /apache 4) The group "web" should have write access to the /apache directory. Check the file permissions on the /apache directory. # ls -ld /apache drwxr-xr-x+ 2 root sys 512 Jul 31 19:52 /apache 5) The "+" denotes an ACL entry has been made on the /apache directory. View the access control list for the /apache directory. # getfacl /apache # file: /apache # owner: root # group: sys user::rwx group::r-x #effective:r-x group:web:rwx #effective:rwx mask:rwx other:r-x 6) The group "web" has effective permissions of rwx. This group should then be able to write to the /apache directory. Test this configuration by using the su command over to the"webmin" user and try to create an index.html file in the /apache directory. # su webmin # id uid=100006(webmin) gid=30003(web) # cd /apache # touch index.html # ls -l total 0 -rw-r--r-- 1 webmin web 0 Jul 31 20:05 index.html 7) Verify that the ACL is only effective for the group "web" by having another user not in the ACL try to write to the /apache directory. # exit # su alice # id uid=100007(alice) gid=1(other) # cd /apache # touch index2.html touch: index2.html cannot create 8) User alice cannot create a file. This verifies that the ACL only grants the group "web" write permissions to the /apache directory. TAKE AWAY STANDARD PERMISSIONS FROM A GROUP 1) For this exercise, we will assume that the group "web" consists of shared user accounts like "webmin." Due to the shared nature of accounts and ease of password stealing,it is a good idea to set permissions as restrictive as possible. You are going to take away execute permissions on the passwd command for the group "web" so none of the users in that group can change their passwords. This prevents an unathorized user from possibly changing a password on the shared account which could result in an account DOS. # setfacl -m g:web:0 /usr/bin/passwd # ls -l /usr/bin/passwd -r-sr-sr-x+ 3 root sys 73748 Jul 27 2001 /usr/bin/passwd 2) Check the ACL using the getfacl command. # file: /usr/bin/passwd # owner: root # group: sys user::r-x group::r-x #effective:r-x group:web:--- #effective:--- mask:r-x other:r-x 3) Verify that the user "webmin" cannot execute the passwd command. # su webmin uid=100006(webmin) gid=30003(web) # passwd passwd: execute permission denied 4) You have now taken away execute permissions for any user in the group "web" 5) Delete the ACL entry of of the passwd command. # setfacl -d g:web:0 /usr/bin/passwd # ls -l /usr/bin/passwd -r-sr-sr-x 3 root sys 73748 Jul 27 2001 /usr/bin/passwd 6) Attempt to change the password as user "webmin" # passwd webmin Enter login password: