Skip to content

Instantly share code, notes, and snippets.

@alansenairj

alansenairj/exercise_linux_permissions_v2

Forked from MrSnyder/exercise_linux_permissions
Last active February 1, 2023 15:34
Show Gist options
  • Save alansenairj/596ac7dc3ad6cc06677e874d8e43a2d7 to your computer and use it in GitHub Desktop.
Save alansenairj/596ac7dc3ad6cc06677e874d8e43a2d7 to your computer and use it in GitHub Desktop.
Download ZIP
Linux permissions exercise
Raw
exercise_linux_permissions_v2
# Linux permissions exercise
## Step 0: Create an example directory hierarchy
```
/srv
└── telekom
├── bin
├── gigabit
│   ├── bin
│   ├── devops
│   └── reports
└── terabit
```
```bash
mkdir /srv
mkdir -p srv/{telekon,bin,gigabit,terabit}
mkdir -p srv/gigabit/{bin,deops,reports}
```
I am lazy:
.
├── bin
│   └── hello.sh
├── gigabit
│   ├── bin
│   ├── deops
│   ├── reports
│   └── teste
├── telekon
│   ├── hello.sh
│   └── test
└── terabit
├── bill
└── teste
## Step 1: Controlling access to telekom directory
```bash
# add users
sudo adduser marty
sudo adduser pete
sudo adduser steve
sudo adduser bill
sudo adduser jon
sudo adduser sara
sudo groupadd telekom
sudo usermod -a -G telekom pete
sudo usermod -a -G telekom steve
sudo usermod -a -G telekom bill
sudo usermod -a -G telekom jon
sudo usermod -a -G telekom sara
groupadd telekom
adduser marty
for i in pete steve bill jon sara
do
adduser $i -G telekon
done
getent passwd | tac | head -n 6
```
* Task: Try to restrict access to `/srv/telekom` folder, so that only members of telekom group can use it.
```
chown -R :root /srv
chown -R :telekom /srv/telekon/
chmod g+rw,o-rwx srv/telekon/
chmod g+rwx,o+x srv/
[root@srv2 srv]# su - pete
[pete@srv2 ~]$ cd /srv/
[pete@srv2 srv]$ ll
total 0
drwxr-xr-x. 2 root root 6 Feb 1 00:43 bin
drwxr-xr-x. 5 root root 45 Feb 1 00:43 gigabit
drwxr-x---. 2 root telekom 6 Feb 1 00:43 telekon
drwxr-xr-x. 2 root root 6 Feb 1 00:43 terabit
ls -ld srv/telekon/
drwxrwx---. 2 root telekom 6 Feb 1 00:18 srv/telekon/
[root@srv2 /]# su - marty
[marty@srv2 ~]$ cd /srv/
[marty@srv2 srv]$ ll
total 0
drwxr-xr-x. 2 root root 6 Feb 1 00:43 bin
drwxr-xr-x. 5 root root 45 Feb 1 00:43 gigabit
drwxrwx---. 2 root telekom 6 Feb 1 00:43 telekon
drwxr-xr-x. 2 root root 6 Feb 1 00:43 terabit
[marty@srv2 srv]$ cd telekon/
-bash: cd: telekon/: Permission denied
* Task: Verify that pete can see the files there.
[root@srv2 /]# su - pete
[pete@srv2 ~]$ cd /srv
[pete@srv2 srv]$ cd telekon/
[pete@srv2 telekon]$ ll
total 0
[pete@srv2 telekon]$ touch test
[pete@srv2 telekon]$ ll
total 0
-rw-rw-r--. 1 pete pete 0 Feb 1 01:00 test
[pete@srv2 telekon]$
* Task: Verify that marty cannot see the files here.
done
* Task: Verify that pete can write a file there.
done
* Task: As user pete, try to create a simple script `hello.sh` (see below) in `/srv/telekom/bin`
-rw-rw-r--. 1 pete pete 31 Feb 1 01:02 hello.sh
-rw-rw-r--. 1 pete pete 0 Feb 1 01:00 test
[pete@srv2 telekon]$ cp hello.sh ../bin/
cp: cannot create regular file '../bin/hello.sh': Permission denied
[pete@srv2 telekon]$
* Task: Try to understand, why this may not work
[pete@srv2 bin]$ ls -ld /srv/bin/
drwxr-xr-x. 2 root root 6 Feb 1 00:43 /srv/bin/
pete is not in root group
[pete@srv2 telekon]$ vi hello.sh
[pete@srv2 telekon]$ ll
total 4
-rw-rw-r--. 1 pete pete 31 Feb 1 01:02 hello.sh
-rw-rw-r--. 1 pete pete 0 Feb 1 01:00 test
you must chmod +x hello.sh
* Task: Change the permissions of the `/srv/telekom/bin` folder and try again.
[pete@srv2 bin]$ logout
[root@srv2 /]# chown :telekom /srv/bin/
chmod g+rwx /srv/bin/
su - pete
pete@srv2 bin]$ touch hello.sh
[pete@srv2 bin]$ vi hello.sh
pete@srv2 bin]$ chmod +x hello.sh
[pete@srv2 bin]$ ./hello.sh
Hello
* Task: Make the script executable and execute it.
done
* Task: Check if other members of the telekom group can execute the script, if not, try to make that possible.
[root@srv2 /]# su - sara
[sara@srv2 ~]$ cd /srv/bin/
[sara@srv2 bin]$ ./hello.sh
Hello
## Step 2: Controlling access to telekom/gigabit directory
```bash
sudo groupadd gigabit
sudo usermod -a -G gigabit steve
sudo usermod -a -G gigabit bill
sudo usermod -a -G gigabit jon
```
for i in steve bill jon ; do usermod -aG gigabit $i; done
* Task: Restrict access to `/srv/telekom/gigabit` folder to members of gigabit group.
[root@srv2 gigabit]# chown :gigabit /srv/gigabit/
[root@srv2 gigabit]# chmod o-rwx /srv/gigabit/
* Task: Verify that steve can see the files there.
[root@srv2 gigabit]# su - steve
[steve@srv2 ~]$ cd /s
sbin/ srv/ sys/
[steve@srv2 ~]$ cd /srv/
[steve@srv2 srv]$ ll
total 0
drwxrwxr-x. 2 root telekom 22 Feb 1 01:10 bin
drwxr-xr--. 5 root gigabit 45 Feb 1 00:43 gigabit
drwxrwx---. 2 root telekom 34 Feb 1 01:02 telekon
drwxr-xr-x. 2 root root 6 Feb 1 00:43 terabit
[steve@srv2 srv]$ cd gigabit/
[steve@srv2 gigabit]$ ll
total 0
drwxr-xr-x. 2 root root 6 Feb 1 00:43 bin
drwxr-xr-x. 2 root root 6 Feb 1 00:43 deops
drwxr-xr-x. 2 root root 6 Feb 1 00:43 reports
[steve@srv2 gigabit]$
* Task: Verify that pete cannot see the files here.
[root@srv2 gigabit]# su - pete
[pete@srv2 ~]$ cd /srv/
[pete@srv2 srv]$ ll
total 0
drwxrwxr-x. 2 root telekom 22 Feb 1 01:10 bin
drwxr-xr--. 5 root gigabit 45 Feb 1 00:43 gigabit
drwxrwx---. 2 root telekom 34 Feb 1 01:02 telekon
drwxr-xr-x. 2 root root 6 Feb 1 00:43 terabit
[pete@srv2 srv]$ cd gigabit/
-bash: cd: gigabit/: Permission denied
[pete@srv2 srv]$
* Task: Verify that steve can write a file there.
[root@srv2 gigabit]# su - steve
[steve@srv2 ~]$ cd /srv/gigabit/
[steve@srv2 gigabit]$ touch teste
touch: cannot touch 'teste': Permission denied
[steve@srv2 gigabit]$
[steve@srv2 gigabit]$ logout
[root@srv2 gigabit]# chmod g+rwx /srv/gigabit/
[root@srv2 gigabit]# su - steve
[steve@srv2 ~]$ cd /srv/gigabit/
[steve@srv2 gigabit]$ ll
total 0
drwxr-xr-x. 2 root root 6 Feb 1 00:43 bin
drwxr-xr-x. 2 root root 6 Feb 1 00:43 deops
drwxr-xr-x. 2 root root 6 Feb 1 00:43 reports
[steve@srv2 gigabit]$ touch teste
[steve@srv2 ~]$ cd /srv/gigabit/
[steve@srv2 gigabit]$ ll
total 0
drwxr-xr-x. 2 root root 6 Feb 1 00:43 bin
drwxr-xr-x. 2 root root 6 Feb 1 00:43 deops
drwxr-xr-x. 2 root root 6 Feb 1 00:43 reports
-rw-rw-r--. 1 steve steve 0 Feb 1 01:56 teste
## Step 3: Controlling access to telekom/terabit directory
```bash
sudo groupadd terabit
sudo usermod -a -G terabit sara
sudo usermod -a -G terabit jon
sudo usermod -a -G terabit bill
```
[root@srv2 gigabit]# groupadd terabit
[root@srv2 gigabit]# for i in sara jon bill ; do usermod -aG terabit $i; done
* Task: Restrict access to `/srv/telekom/terabit` folder to members of terabit group.
chown :terabit /srv/terabit/
chmod o-rwx /srv/terabit/
chmod g+rwx /srv/terabit/
* Task: Verify that sara can see the files there.
[root@srv2 srv]# su - sara
[sara@srv2 ~]$ cd /srv/terabit/
[sara@srv2 terabit]$ ll
total 0
[sara@srv2 terabit]$
* Task: Verify that steve cannot see the files here.
[steve@srv2 srv]$ cd terabit/
-bash: cd: terabit/: Permission denied
* Task: Verify that sara can write a file there.
[sara@srv2 srv]$ cd terabit/
[sara@srv2 terabit]$ touch teste
[sara@srv2 terabit]$ ll
total 0
-rw-rw-r--. 1 sara sara 0 Feb 1 02:06 teste
* Task: Verify that bill can write a file there.
[root@srv2 srv]# su - bill
[bill@srv2 ~]$ cd /srv/
[bill@srv2 srv]$ cd terabit/
[bill@srv2 terabit]$ ll
total 0
-rw-rw-r--. 1 sara sara 0 Feb 1 02:06 teste
[bill@srv2 terabit]$ touch bill
[bill@srv2 terabit]$ ll
total 0
-rw-rw-r--. 1 bill bill 0 Feb 1 02:08 bill
-rw-rw-r--. 1 sara sara 0 Feb 1 02:06 teste
[bill@srv2 terabit]$
## Step 4: Controlling access in telekom/gigabit subdirectories
```bash
sudo groupadd gigabit-sales
sudo groupadd gigabit-nerdz
sudo usermod -a -G gigabit-sales steve
sudo usermod -a -G gigabit-nerdz,gigabit-sales bill
sudo usermod -a -G gigabit-nerdz jon
```
* Task: Restrict access to `/srv/telekom/gigabit/reports` to members of gigabit-sales group
[root@srv2 /]# chown :gigabit-sales srv/gigabit/reports/
[root@srv2 /]# chmod o-rwx /srv/gigabit/reports/
[root@srv2 /]# chmod g+rwx /srv/gigabit/reports/
* Task: Verify that bill can create a file there.
[root@srv2 /]# su - bill
[bill@srv2 ~]$ cd /srv/gigabit/reports/
[bill@srv2 reports]$ touch teste
[bill@srv2 reports]$ ll
total 0
-rw-rw-r--. 1 bill bill 0 Feb 1 02:16 teste
* Task: Verify that jon cannot see the files there.
[root@srv2 /]# su - jon
[jon@srv2 ~]$ cd /srv
[jon@srv2 srv]$ cd gigabit/
[jon@srv2 gigabit]$ ll
total 0
drwxr-xr-x. 2 root root 6 Feb 1 00:43 bin
drwxr-xr-x. 2 root root 6 Feb 1 00:43 deops
drwxrwx---. 2 root gigabit-sales 19 Feb 1 02:16 reports
-rw-rw-r--. 1 steve steve 0 Feb 1 01:56 teste
[jon@srv2 gigabit]$ cd reports/
-bash: cd: reports/: Permission denied
[jon@srv2 gigabit]$
* Task: Restrict access to `/srv/telekom/gigabit/devops` to members of gigabit-nerdz group
[root@srv2 /]# chown :gigabit-nerdz /srv/gigabit/devops
[root@srv2 /]# chmod o-rwx /srv/gigabit/devops
[root@srv2 /]# chmod g+rwx /srv/gigabit/devops
* Task: Verify that jon can create a file there.
[root@srv2 /]# su - jon
[jon@srv2 ~]$ cd /srv/gigabit/devops
[jon@srv2 devops]$ touch testee
[jon@srv2 devops]$ ll
total 0
-rw-rw-r--. 1 jon jon 0 Feb 1 02:21 testee
[jon@srv2 devops]$
* Task: Verify that steve cannot see the files there.
[root@srv2 ~]# su - steve
[steve@srv2 ~]$ cd /srv/
[steve@srv2 srv]$ tree
.
├── bin
│   └── hello.sh
├── gigabit
│   ├── bin
│   ├── devops [error opening dir]
│   ├── reports
│   │   └── teste
│   └── teste
├── telekon
│   ├── hello.sh
│   └── test
└── terabit [error opening dir]
7 directories, 5 files
* Task: Create a dummy script `/srv/telekom/gigabit/bin/hello.sh`
[root@srv2 bin]# cat <<EOF > hello.sh
> #!/bin/bash
> echo "hello"
> EOF
* Task: Make the script executable for all gigabit members
[root@srv2 bin]# ll
total 4
-rw-r--r--. 1 root root 6 Feb 1 02:24 hello.sh
[root@srv2 bin]#
[root@srv2 bin]# setfacl -m g:gigabit:rwx hello.sh
[root@srv2 bin]# getfacl hello.sh
# file: hello.sh
# owner: root
# group: root
user::rw-
group::r--
group:gigabit:rwx
mask::rwx
other::r--
[root@srv2 bin]#
chown :gigabit hello.sh
* Task: Check execution for both steve and jon
[root@srv2 bin]# su - jon
[jon@srv2 ~]$ cd /srv/gigabit/bin/
[jon@srv2 bin]$ ./hello.sh
hello
[jon@srv2 bin]$
[root@srv2 bin]# su - steve
[steve@srv2 ~]$ cd /srv/gigabit/bin/
[steve@srv2 bin]$ ./hello.sh
hello
[steve@srv2 bin]$
* Task: Create a dummy script `/srv/telekom/gigabit/bin/ci-cd.sh`
[root@srv2 bin]# cat <<EOF > ci-cd.sh
> #!/bin/bash
> echo "ci-cd"
> EOF
* Make the script executable to the gigabit-nerdz group only
[root@srv2 bin]# getent group | grep gigabit
gigabit:x:1035:steve,bill,jon
gigabit-sales:x:1037:steve,bill
gigabit-nerdz:x:1038:bill,jon
[root@srv2 bin]#
[root@srv2 bin]# ll
total 8
-rw-r--r--. 1 root root 25 Feb 1 02:39 ci-cd.sh
-rw-rwxr--+ 1 root gigabit 25 Feb 1 02:37 hello.sh
[root@srv2 bin]# setfacl -m g:gigabit-nerdz:rwx ci-cd.sh
[root@srv2 bin]# getfacl ci-cd.sh
# file: ci-cd.sh
# owner: root
# group: root
user::rw-
group::r--
group:gigabit-nerdz:rwx
mask::rwx
other::r--
[root@srv2 bin]#
[root@srv2 bin]# chown :gigabit-nerdz ci-cd.sh
[root@srv2 bin]# getfacl ci-cd.sh
# file: ci-cd.sh
# owner: root
# group: gigabit-nerdz
user::rw-
group::r--
group:gigabit-nerdz:rwx
mask::rwx
other::r--
* Task: Check execution for both bill and jon
[bill@srv2 bin]$ ll
total 8
-rw-rwxr--+ 1 root gigabit-nerdz 25 Feb 1 02:39 ci-cd.sh
-rw-rwxr--+ 1 root gigabit 25 Feb 1 02:37 hello.sh
[bill@srv2 bin]$
[bill@srv2 bin]$ ./ci-cd.sh
ci-cd
[bill@srv2 bin]$
[jon@srv2 ~]$ tree /srv
/srv
├── bin
│   └── hello.sh
├── gigabit
│   ├── bin
│   │   ├── ci-cd.sh
│   │   └── hello.sh
│   ├── devops
│   │   └── testee
│   ├── reports [error opening dir]
│   └── teste
├── telekon
│   ├── hello.sh
│   └── test
└── terabit
├── bill
└── teste
7 directories, 9 files
[jon@srv2 ~]$ cd /srv/gigabit/bin/
[jon@srv2 bin]$ ./ci-cd.sh
ci-cd
[jon@srv2 bin]$
* Task: Check that execution does not work for steve
[jon@srv2 bin]$ logout
[root@srv2 bin]# su - steve
[steve@srv2 ~]$ cd /srv/gigabit/bin/
[steve@srv2 bin]$ ll
total 8
-rw-rwxr--+ 1 root gigabit-nerdz 25 Feb 1 02:39 ci-cd.sh
-rw-rwxr--+ 1 root gigabit 25 Feb 1 02:37 hello.sh
[steve@srv2 bin]$ ./ci-cd.sh
-bash: ./ci-cd.sh: Permission denied
# aplicar a seguinte regra para cada diretório
/srv
├── bin
│   └── hello.sh
├── gigabit
│   ├── bin
│   │   ├── ci-cd.sh
│   │   └── hello.sh
│   ├── devops
│   │   └── testee
│   ├── reports
│   │   └── teste
│   └── teste
├── telekon
│   ├── hello.sh
│   └── test
└── terabit
├── bill
└── teste
tarefas novas - permissão especial
# o diretório /srv/bin deve ser ajustadado para que todos os arquivos criados ali pertençam ao mesmo grupo da pasta que os contém
[root@srv2 bin]# chmod g+s /srv/bin/
setfacl -m g:telekom:rwx /srv/gigabit/bin/
setfacl -m u:sara:rwx /srv/gigabit/bin/
[root@srv2 bin]# getent group | grep gigabit
gigabit:x:1035:steve,bill,jon
gigabit-sales:x:1037:steve,bill
gigabit-nerdz:x:1038:bill,jon
[sara@srv2 ~]$ ls -ld /srv/gigabit/
drwxrwx---. 5 root gigabit 59 Feb 1 02:18 /srv/gigabit/
[root@srv2 bin]# ls -ld /srv/bin/
drwxrwsr-x. 2 root telekom 22 Feb 1 01:10 /srv/bin/
[root@srv2 bin]# getent group | grep telekom
telekom:x:1028:pete,steve,bill,jon,sara
[sara@srv2 ~]$ ls -ld /srv/gigabit/
drwxrwx---. 5 root gigabit 59 Feb 1 02:18 /srv/gigabit/
root@srv2 bin]# su - sara
[sara@srv2 ~]$ cd /srv/gigabit/
-bash: cd: /srv/gigabit/: Permission denied
[sara@srv2 ~]$ ls -ld /srv/gigabit/
drwxrwx---. 5 root gigabit 59 Feb 1 02:18 /srv/gigabit/
[sara@srv2 ~]$ logout
[root@srv2 bin]# getent group | grep gigabit
gigabit:x:1035:steve,bill,jon
[root@srv2 bin]# usermod -aG gigabit sara
[root@srv2 bin]# su - sara
[sara@srv2 ~]$ cd /srv/gigabit/
[sara@srv2 gigabit]$ ll
total 0
drwxrwxr-x+ 2 root root 38 Feb 1 02:39 bin
[sara@srv2 gigabit]$ cd bin/
[sara@srv2 bin]$ ll
total 8
-rw-rwxr--+ 1 root gigabit-nerdz 25 Feb 1 02:39 ci-cd.sh
-rw-rwxr--+ 1 root gigabit 25 Feb 1 02:37 hello.sh
# apply policy that execute/search only if the file is a directory or already has execute permission for some user (X)
on hello.sh
root@srv2 bin]# find /srv/ -name hello*
/srv/telekon/hello.sh
/srv/bin/hello.sh
/srv/gigabit/bin/hello.sh
chmod +X /srv/telekon/
[root@srv2 telekon]# chmod u+rwX /srv/telekon/hello.sh
root@srv2 telekon]# chmod u+X,g-x,o-x hello.sh
[sara@srv2 telekon]$ ./hello.sh
-bash: ./hello.sh: Permission denied
# o diretório /srv/bin apenas o user root pode remover, executar e criar arquivos ali.
[root@srv2 ~]# ls -ld /srv/bin/
drwxrwsr-x. 2 root telekom 22 Feb 1 01:10 /srv/bin/
chmod u+rwx,g-rwx,o-rwx /srv/bin/
root@srv2 ~]# su - sara
[sara@srv2 ~]$ cd /srv/bin/
-bash: cd: /srv/bin/: Permission denied
# o diretório /srv/telekon tem que ser ajustado para que o filha da puta do consultor não acesse nem crie arquivos aqui. esse viado não pode fazer nada aqui.
adduser consultor
root@srv2 ~]# setfacl -m u:consultor:- /srv/telekon/
[root@srv2 ~]# su - consultor
[consultor@srv2 ~]$ cd /srv/telekon/
-bash: cd: /srv/telekon/: Permission denied
# o diretório /srv/terabit deve ter um script que somente o root execute essa merda. inventa um script qqer echo yadayada
[root@srv2 srv]# ls -ld terabit/
drwxrwx---. 2 root terabit 31 Feb 1 02:08 terabit/
[root@srv2 terabit]# chmod u+rwx,g-rwx,o-rwx yada.sh
[root@srv2 terabit]# ls -ld yada.sh
-rwx------. 1 root root 25 Feb 1 05:06 yada.sh
[root@srv2 terabit]# ./yada.sh
yada
[root@srv2 terabit]# pwd
/srv/terabit
[root@srv2 terabit]# su - sara
[sara@srv2 ~]$ cd /srv/terabit
[sara@srv2 terabit]$ ll
total 4
-rw-rw-r--. 1 bill bill 0 Feb 1 02:08 bill
-rw-rw-r--. 1 sara sara 0 Feb 1 02:06 teste
-rwx------. 1 root root 25 Feb 1 05:06 yada.sh
[sara@srv2 terabit]$ ./yada.sh
-bash: ./yada.sh: Permission denied
# faça com que o diretório /srv/gigabit/reports consiga ser visualizado por todos. mas não deixe que ninguém apague o que está nessa pasta
[root@srv2 terabit]# chmod o+r-x /srv/gigabit/reports/
[root@srv2 terabit]# ls -ld /srv/gigabit/reports/
drwxrwxr--. 2 root gigabit-sales 19 Feb 1 02:16 /srv/gigabit/reports/
[root@srv2 terabit]# chmod u+rwx,g-wx /srv/gigabit/reports/
[root@srv2 terabit]# ls -ld /srv/gigabit/reports/
drwxr--r--. 2 root gigabit-sales 19 Feb 1 02:16 /srv/gigabit/reports/
root@srv2 terabit]# chmod o+rx /srv/gigabit/reports/
[root@srv2 terabit]# su - sara
[sara@srv2 ~]$ cd /srv/gigabit/reports/
[sara@srv2 reports]$ ll
total 0
-rw-rw-r--. 1 bill bill 0 Feb 1 02:16 teste
[sara@srv2 reports]$ rm teste
rm: remove write-protected regular empty file 'teste'? y
rm: cannot remove 'teste': Permission denied
# crie em srv as pastas /developers and /admins. those directories new files should be owned by the group owner and only the file creator should have the permissions to delete their own files.
mkdir -p /srv/{developers,admins}
[root@srv2 terabit]# chmod +t /srv/developers/
[root@srv2 terabit]# chmod +t /srv/admins/
root@srv2 terabit]# ls -ld /srv/*
drwxr-xr-t. 2 root root 6 Feb 1 05:13 /srv/admins
drwx--S---. 2 root root 22 Feb 1 01:10 /srv/bin
drwxr-xr-t. 2 root root 6 Feb 1 05:13 /srv/developers
drwxrwx---+ 5 root gigabit 59 Feb 1 02:18 /srv/gigabit
drwxrws--x+ 2 root telekom 34 Feb 1 01:02 /srv/telekon
drwxrwx---. 2 root terabit 46 Feb 1 05:06 /srv/terabit
# crie um arquivo chamado zecu.sh dentro de /srv/. aplique permissão de apenas leitura no arquivo zecu.sh. somente o dono dessa merda pode executar ele
[root@srv2 srv]# chmod u+rwx,g-rwx,o-rwx zecu.sh
[root@srv2 srv]# ls -ld zecu.sh
-rwx------. 1 root root 0 Feb 1 05:19 zecu.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment