There are a lot of high-grade security characteristics built into Linux-based machines but one very significant possible vulnerability can live when local access is allowed – – that is file permission based problems emerging from a user not allowing the right permissions to files and directories. Completion of "Configure Advanced Permissions in Linux" IT Pro Challenge virtual lab means that the learners have demonstrated the ability to use root privileges to create the required user accounts, groups, directories, and files using the SGID permission on a directory and Sticky Bit permission on a directory. Other Challenges in this series are “Configure Standard Permissions in Linux” and “Can you Configure ACL Permissions in Linux?”
Understand the Scenario
Linux file servers play a vital role. When utilizing one of the modern Linux distributions, you have several distinct file sharing alternatives to pick from. Some of them are easy but not that secure. Others are highly reliable, yet need some know-how to set up initially. In this virtual lab, you are the system administrator for a Linux file server used for project collaboration. Your role is to protect user data while granting proper access to data for individuals and groups. In this challenge, you will create the required user accounts, groups, directories, and files. To strengthen security, you will configure SGID and Sticky Bit directory permissions. Finally, you will use absolute mode and symbolic mode to configure the SGID and the Sticky Bit permissions.
Understand your environment
In this hands-on lab, you will work from a terminal emulator on the virtual machine called CentOS7. The virtual machine is built with a default installation of Linux with the Server. The GUI package has been installed and non-privileged accounts have been created for you.
Create the required user accounts, groups, directories and files
In this first section of the challenge, you will sign in to the CentOS7 machine by using given login credentials. You will then obtain the root privileges to create two new user accounts and set the password for both accounts. In the next step, you will create a group called sales and add both user accounts to that group.You will also learn how to create a directory at the root of the filesystem and set a group association for the /project-files directory to the sales group. Finally, you will use standard Linux permissions to grant the sales group read, write, and execute permissions.
Set and verify advanced permissions on the /project-files directory
SGID (Set Group ID upon execution) is a particular type of file permissions assigned to a file/folder. Usually in Linux when a program executes, it obtains access permits from the logged-in user. SGID is described as providing temporary grants to a user to operate a program/file with the support of the file group permissions to become a part of that group to execute the file. In this section of the virtual lab, you will learn how to configure and test the SGID permission on a directory.
To accomplish this, you will use advanced permissions to configure the Set Group ID (SGID) permission on the /project-files directory. You will learn how to switch between the root and the two created user accounts. Finally, you will check the group association of the new file to secure the sales group association. This will be done by trying to switch between the two user accounts to delete some files. The two users can delete each other's files, as they both belong to the sales group.
Use the Sticky Bit to prevent users from deleting each other's files
A Sticky bit is a license bit that is configured on a file or a directory that allows only the owner of the file/directory or the root user to delete or rename the file. No other user is granted rights to delete the file created by some other user. In this section of the lab, You will configure the Sticky Bit permission on the /project-files directory by using the chmod command. In this activity, you will then switch to the user accounts to re-create the .txt text file. You will create these text files in both the user accounts. You will then try to delete one of the text files of a user by logging as another user. You will learn that although standard Linux permissions would appear to allow the file deletion, the Sticky Bit is blocking deletion by anyone other than the owner of that file.
Use absolute mode and symbolic mode to configure the Sticky Bit and SGID
In the Absolute mode, you change permissions for all the owners and in the symbolic mode, you can modify the permissions of a particular owner. In this final section of the challenge, you will sign in as root and create a new directory at the root of the filesystem named /sales-projects. You will then learn how to associate the sales group with the new /sales-projects directory and configure the Sticky Bit and SGID together on the /sales-projects directory by using absolute mode. After associating the sales group, you will learn how to create a new directory at the root of the filesystem named /sales-collaboration. Finally, you will configure the Sticky Bit and SGID on the /sales-collaboration directory by using the symbolic mode to prevent deletion by anyone other than the owner of that file.
Lab Summary Conclusion
After completing the “Configure Advanced Permissions in Linux” virtual lab, you will have accomplished the following:
- Created the required user accounts, groups, directories, and files.
- Configured and tested the SGID permission on a directory.
- Configured and tested the Sticky Bit permission on a directory.
- Configured Sticky Bits and SGID by using absolute mode and symbolic mode.