Lab Information
After conducting a security audit within the Stratos DC, the Nautilus security team discovered misconfigured permissions on critical files. To address this, corrective actions are being taken by the production support team. Specifically, the file named /etc/hosts on Nautilus App 2 server requires adjustments to its Access Control Lists (ACLs) as follows:
The file's user owner and group owner should be set to root.
Others should possess read only permissions on the file.
User ammar must not have any permissions on the file.
User jerome should be granted read only permission on the file.
Lab Solutions
π§ Part 1: Lab Step-by-Step Guidelines (Technical Execution)
πΉ Step 1: Login to Jump Host
ssh thor@jump_host.stratos.xfusioncorp.com
Password:
mjolnir123
πΉ Step 2: Login to App Server 2
ssh steve@stapp02.stratos.xfusioncorp.com
Password:
Am3ric@
πΉ Step 3: Switch to root
sudo -i
πΉ Step 4: Set owner and group to root
chown root:root /etc/hosts
πΉ Step 5: Set base permissions (others read only)
chmod 644 /etc/hosts
This ensures:
Owner β rw-
Group β r--
Others β r--
πΉ Step 6: Remove all permissions for user ammar
setfacl -m u:ammar:--- /etc/hosts
πΉ Step 7: Grant read-only permission to user jerome
setfacl -m u:jerome:r-- /etc/hosts
πΉ Step 8: Verify ACL configuration
getfacl /etc/hosts
Expected output should include:
user::rw-
user:ammar:---
user:jerome:r--
group::r--
other::r--
β Final Checklist
β Owner = root
β Group = root
β Permissions = 644
β ammar has no permissions
β jerome has read-only access
β Verified using getfacl
π§ Part 2: Simple Step-by-Step Explanation (Beginner Friendly)
πΉ Why use ACL instead of normal chmod?
Normal permissions allow control for:
Owner
Group
Others
But this task requires:
Specific rules for individual users (ammar, jerome)
That requires Access Control Lists (ACLs).
πΉ Step-by-step Logic
1οΈβ£ Set owner and group
chown root:root /etc/hosts
Ensures root fully controls the file.
2οΈβ£ Set base permission to 644
chmod 644 /etc/hosts
Means:
Owner β read & write
Group β read only
Others β read only
3οΈβ£ Remove ammarβs access
setfacl -m u:ammar:---
Even if βothersβ have read permission, this ACL explicitly overrides it for ammar.
4οΈβ£ Give jerome read-only access
setfacl -m u:jerome:r--
This ensures jerome can read even if future permission changes occur.
πΉ Why verify with getfacl?
ls -l will NOT show ACL entries.
Only:
getfacl /etc/hosts
Top comments (0)