Exercise: User Access Level 1In this exercise, you complete the following tasks: ● Log failed login attempts ● Use the commandsfinger,last,rusers,su, andwhoami ● Examine thesulogfile ● C
Trang 1Figure 11-2 shows the flow of remote access authentication.
Figure 11-2 Remote Access Authentication
user1 host1 rlogin rcp rsh
Access allowed
Access denied
Password prompt
Login prompt
user1 in /etc/passwd
Command? Password
correct?
No No
Yes Yes
rlogin
No
Type Control-D
to get out
of incorrect password loop
Trang 2Controlling System Access
While the /etc/hosts.equivand $HOME/.rhostsfiles have the sameformat, the same entries in each file have different effects
Both files are formatted as a list of one-line entries, which can contain thefollowing types of entries:
The host names in the /etc/hosts.equivand$HOME/.rhostsfiles must
be the official name of the host, not one of its alias names
Note – When logging in to a number of different systems, you can run the
uname -ncommand to determine on which system you are currentlylogged in
For regular users, the /etc/hosts.equivfile identifies remote hosts and
remote users who are considered to be trusted.
Note – The/etc/hosts.equivfile is not checked at all if the remote userrequesting local access is the rootuser
Trang 3If the local host’s/etc/hosts.equivfile contains the host name of aremote host, then all regular users of that remote host are trusted and donot need to supply a password to log in to the local host This is provided
so that each remote user is known to the local host by having an entry inthe local/etc/passwdfile; otherwise, access is denied
This functionality is particularly useful for sites where regular userscommonly have accounts on many different systems, eliminating thesecurity risk of sending ASCII passwords over the network
The/etc/hosts.equivfile does not exist by default It must be created iftrusted remote user access is required on the local host
While the/etc/hosts.equivfile applies system-wide access for rootusers, the.rhostsfile applies to a specific user
non-All users, including therootuser, can create and maintain their own.rhostsfiles in theirhomedirectories
For example, if you run anrloginprocess from a remote host to gainrootaccess to a local host, the/.rhostsfile is checked in theroot homedirectory on the local host
If the remote host name is listed in this file, it is a trusted host, and, in thiscase,rootaccess is granted on the local host TheCONSOLEvariable inthe/etc/default/loginfile must be commented out for remote rootlogins
The $HOME/.rhostsfile does not exist by default You must create it inthe user’shomedirectory
Trang 4Performing the Exercises
Performing the Exercises
You have the option to complete any one of three versions of a lab Todecide which to choose, consult the following descriptions of the levels:
● Level 1 – This version of the lab provides the least amount ofguidance Each bulleted paragraph provides a task description, butyou must determine your own way of accomplishing each task
● Level 2 – This version of the lab provides more guidance Althougheach step describes what you should do, you must determine thecommands (and options) to input
● Level 3 – This version of the lab is the easiest to accomplish becauseeach step provides exactly what you should input to the system Thislevel also includes the task solutions for all three levels
Trang 5Exercise: User Access (Level 1)
In this exercise, you complete the following tasks:
● Log failed login attempts
● Use the commandsfinger,last,rusers,su, andwhoami
● Examine thesulogfile
● Change the/etc/default/loginfile to allowrootlogins from anyterminal
● Change the/etc/ftpd/ftpusersfile to allow FTP access as therootuser
● Create a/.rhostsfile to allowroot access from another system
Preparation
This lab requires two systems Each system lists the other in its/etc/inet/hostsfile The lab also requires two specific users,user9anduser3, on both systems Both users should use the password123pass.Refer to the lecture notes as necessary to perform the steps listed
Remote Lab Data Center (RLDC)
In addition to being able to use local classroom equipment, this lab hasalso been designed to use equipment located in a remote lab data center.Directions for accessing and using this resource can be found at:
http://fn1.brom.suned.com/
Ask your instructor for the particular SSH (Secure Shell) configuration fileyou should use to access the appropriate remote equipment for thisexercise
Trang 6Exercise: User Access (Level 1)
Tasks
Complete the following tasks:
● Create a log file to record failed login attempts Use the line login to make five failed login attempts List the contents of thelog file Use commands to display information foruser9on bothyour system and your partner’s system
command-(Steps 1–7 in the Level 2 lab)
● Identify when the firstrootlogin session on your system occurredand how long the session lasted Identify when your system lastbooted List the users logged in on all systems on your network and
on just your partner’s system
(Steps 8–11 in the Level 2 lab)
● Change your user identity from the rootuser to user9, both withand without the- (dash) option Record the differences List
effective and real user identity during yoursusessions Locate the
sulog and identify which user initiated yoursuattempts
(Steps 12–18 in the Level 2 lab)
● As the rootuser, attempt to log into your partner’s system Recorderror messages Change theCONSOLEvariable on your partner’ssystem to allowrootlogins from any terminal Attempt to accessyour partner’s system again
(Steps 19–21 in the Level 2 lab)
● As the rootuser, attempt to use theftpcommand to access yourpartner’s system Change theftppermissions file to allowrootaccess to your partner’s system
(Step 22 in the Level 2 lab)
● As therootuser, attempt to use therlogincommand to access yourpartner’s system Ask your partner to create a/.rhostsfile that listsyour system name Attempt to use therlogincommand to accessyour partner’s system again
(Step 23 in the Level 2 lab)
Trang 7Exercise: User Access (Level 2)
In this exercise, you complete the following tasks:
● Log failed login attempts
● Use the commandsfinger,last,rusers,su, andwhoami
● Examine thesulogfile
● Change the/etc/default/loginfile to allowrootlogins from anyterminal
● Change the/etc/ftpd/ftpusersfile to allow FTP access as therootuser
● Create a/.rhostsfile to allow root access from another system
Preparation
This lab requires two systems Each system lists the other in its/etc/inet/hostsfiles It also requires two specific users,user9anduser3, on both systems Both users should use the password123pass.Refer to the lecture notes as necessary to perform the steps listed
Remote Lab Data Center (RLDC)
In addition to being able to use local classroom equipment, this lab hasalso been designed to use equipment located in a remote lab data center.Directions for accessing and using this resource can be found at:
http://fn1.brom.suned.com/
Ask your instructor for the particular SSH (Secure Shell) configuration fileyou should use to access the appropriate remote equipment for thisexercise
Trang 8Exercise: User Access (Level 2)
Task Summary
In this exercise, you accomplish the following:
● Create the file /var/adm/loginlog Use the command-line login tomake five failed login attempts List the contents of the
/var/adm/loginlogfile Use the fingercommand to displayinformation foruser9on both your system and your partner’ssystem
● Use thelastcommand to identify when the first rootlogin session
on your system occurred and how long the session lasted Use thelastcommand to learn when your system last booted Use theruserscommand to list the users logged in on all systems on yournetwork and on just your partner’s system
● Use the sucommand to change your user identity from therootuser touser9, both with and without the-(dash) option Record thedifferences Use thewhoamiand who am icommands to list youreffective and real user identity during yoursusessions Locate the
sulog declared in the/etc/default/sufile, and identify whichuser initiated yoursuattempts
● As the rootuser, attempt a session to your partner’s system byusing thetelnetcommand Record error messages Change theCONSOLEvariable on your partner’s system to allowrootloginsfrom any terminal Attempt thetelnetsession again
● As the rootuser, attempt to use theftpcommand to access yourpartner’s system Change the/etc/ftpd/ftpusersfile to allowrootaccess to your partner’s system
● As therootuser, attempt to use therlogincommand to access yourpartner’s system Ask your partner to create a/.rhostsfile that listsyour system name Attempt to use therlogincommand to accessyour partner’s system again
Tasks
Complete the following steps:
1 Log in as therootuser, and open a terminal window Change thedirectory to/var/adm
2 Use the touchcommand to create a file calledloginlog (Ensurepermissions are set to read and write for therootuser only.) If
Trang 93 Log out From the CDE Options menu, select the Command LineLogin option When the CDE login screen clears, press Return toobtain the command-line login prompt.
4 Enterrootafter the login prompt, but supply an incorrect password
Do this five times After the fifth attempt, the CDE login screenappears again Log in asroot, and open a terminal window
5 Examine the/var/adm/loginlogfile What does it contain?
6 Use thefingercommand to display information for the user calleduser9 What is the difference in the output between thefinger –mcommand and the fingercommand with no option?
7 Use thefingercommand to display information for the same user
on your partner’s system (You will need to reference your partner’ssystem on the command line.) Try this with and without the–moption Does the -moption change the output that thefingercommand displays?
8 Use thelastcommand to display login and system reboot activity.When did the first rootlogin occur, and how long did that sessionlast?
9 Use thelastcommand to display only system boot activity Whendid the system last reboot?
10 Use the ruserscommand to list information about the users on allsystems on your network segment
11 Use the ruserscommand to list information for users on yourpartner’s system When, and on what terminal, did the first userlisted log in?
12 Switch your user identity to that of user9 Do not use the -(dash)option
13 Display some of the variables that define your environment
14 Exit the susession and try to switch your user identity again, thistime using the-(dash) option
Are the values reported now correct for the user rootor foruser9?
15 Use the whoamiand who am icommands to list your effective andreal user identity
What do these commands report?
16 Use the sucommand to change your user identity fromuser9touser3, and use thewhoamiand who am icommands again
Trang 10Exercise: User Access (Level 2)
17 Change the directory to /etc/default Examine the/etc/default/sufile, and record the value of the SULOGvariable
18 Display the file named by the SULOGvariable, and identify the entrythat relates to your lastsucommand Isuser9or therootuseridentified as the user who becameuser3?
19 As the userroot, attempt to log in to your partner’s system by usingthetelnetcommand Was your attempt successful? What messageappears?
20 On your partner’s system, edit the/etc/default/loginfile, andchange the line that reads:
22 As therootuser, attempt to use theftpcommand to access yourpartner’s system Were you successful? Ask your partner to edit the/etc/ftpd/ftpusersfile and comment out therootentry Attempt
to use theftpcommand to access your partner’s system again Listsome files in the/tmpdirectory from theftp>prompt
23 As therootuser, attempt to use therlogincommand to access yourpartner’s system Were you successful? Ask your partner to create a/.rhostsfile and enter the name of your system on a line by itself.Attempt to use therlogincommand to access your partner’s systemagain
Trang 11Exercise: User Access (Level 3)
In this exercise, you complete the following tasks:
● Log failed login attempts
● Use the commandsfinger,last,rusers,su, andwhoami
● Examine thesulogfile
● Change the/etc/default/loginfile to allowrootlogins from anyterminal
● Change the/etc/ftpd/ftpusersfile to allow FTP access as therootuser
● Create a/.rhostsfile to allow root access from another system
Preparation
This lab requires two systems that list each other in their/etc/inet/hostsfiles It also requires two specific users,user9anduser3, on both systems Both users should use the password123pass.Refer to the lecture notes as necessary to perform the steps listed
Remote Lab Data Center (RLDC)
In addition to being able to use local classroom equipment, this lab hasalso been designed to use equipment located in a remote lab data center.Directions for accessing and using this resource can be found at:
http://fn1.brom.suned.com/
Ask your instructor for the particular SSH (Secure Shell) configuration fileyou should use to access the appropriate remote equipment for thisexercise
Trang 12Exercise: User Access (Level 3)
Task Summary
In this exercise, you accomplish the following:
● Create the file /var/adm/loginlog Use the command-line login tomake five failed login attempts List the contents of the
/var/adm/loginlogfile Use the fingercommand to displayinformation foruser9on both your system and your partner’ssystem
● Use thelastcommand to identify when the first rootlogin session
on your system occurred and how long the session lasted Use thelastcommand to learn when your system last booted Use theruserscommand to list the users logged in on all systems on yournetwork and on just your partner’s system
● Use the sucommand to change your user identity from therootuser touser9, both with and without the – (dash) option Record thedifferences Use thewhoamiand who am icommands to list youreffective and real user identity during yoursusessions Locate the
sulog declared in the/etc/default/sufile, and identify whichuser initiated yoursuattempts
● As the rootuser, attempt a session to your partner’s system byusing thetelnetcommand Record error messages Change theCONSOLEvariable on your partner’s system to allowrootloginsfrom any terminal Attempt thetelnetsession again
● As the rootuser, attempt to use theftpcommand to access yourpartner’s system Change the/etc/ftpd/ftpusersfile to allowrootaccess to your partner’s system
● As therootuser, attempt to use therlogincommand to access yourpartner’s system Ask your partner to create a/.rhostsfile that listsyour system name Attempt to use therlogincommand to accessyour partner’s system again
Trang 13Tasks and Solutions
Complete the following steps:
1 Log in as the rootuser, and open a terminal window Change thedirectory to/var/adm
# cd /var/adm
2 Use thetouchcommand to create a file calledloginlog (Ensurepermissions are set to read and write for the rootuser only.) Ifnecessary, set the group ownership tosys
4 Enterrootafter the login prompt, but supply an incorrect password
Do this five times After the fifth attempt, the CDE login screenappears again Log in asroot, and open a terminal window
5 Examine the/var/adm/loginlogfile What does it contain?
This file should contain a list of failed login attempts which appear similar
to the following:
login:/dev/pts/2:Tue Dec 7 13:29:22 2004
6 Use thefingercommand to display information for the user calleduser9 What is the difference in output between thefinger –mcommand and the fingercommand with no option?
# finger user9
# finger –m user9
Thefingercommand with no option lists all user accounts that have the stringuserin their names and comment fields Thefinger -mcommand lists only the entry for the user nameduser9.
7 Use thefingercommand to display information for the same user
on your partner’s system (You will need to reference your partner’ssystem on the command line.) Try this with and without the–moption Does the -moption change the output that thefingercommand displays?
# finger user9@ hostname
# finger -m user9@ hostname
Trang 14Exercise: User Access (Level 3)
8 Use the lastcommand to display login and system reboot activity.When did the firstrootlogin occur, and how long did that sessionlast?
# last
This information depends on the activity on your particular system.
9 Use the lastcommand to display only system boot activity Whendid the system last reboot?
# last reboot
This information depends on the activity on your particular system.
10 Use the ruserscommand to list information about the users on allsystems on your network segment
# rusers -l
11 Use theruserscommand to list information about the users on yourpartner’s system When, and on what terminal, did the first userlisted log in?
This information depends on the activity on your particular system.
12 Switch your user identity to that ofuser9 Do not use the-(dash)option
Trang 1515 Use thewhoamiand who am icommands to list your effective andreal user identity.
$ /usr/ucb/whoami
$ who am i
What do these commands report?
The/usr/ucb/whoamicommand displays the login name matching your effective UID, user9 Thewho am icommand displays the login name matching your real UID,root.
16 Use thesucommand to change your user identity fromuser9touser3, and use thewhoamiand who am icommands again
# cat /var/adm/sulog
root
Trang 16Exercise: User Access (Level 3)
19 As therootuser, attempt to log in to your partner’s system by usingthetelnetcommand Was your attempt successful? What messageappears?
Last login: Sun Oct 17 09:21:17 from localhost
Sun Microsystems Inc SunOS 5.10 s10_68 Sep 20, 2004
# exit
Connection closed by foreign host
#
Trang 1722 As therootuser, attempt to use theftpcommand to access yourpartner’s system Were you successful?
No, you should receive the message:Login incorrect Loginfailed.
Ask your partner to edit the/etc/ftpd/ftpusersfile and commentout therootentry Attempt to use the ftpcommand to access yourpartner’s system again List some files in the/tmpdirectory from theftp>prompt
You should see files such as:
dtdbcache_:0sdtvolcheck402speckeysd.lock
23 As therootuser, attempt to use therlogincommand to access yourpartner’s system Were you successful?
You should not be able to use therlogincommand to directly access your partner’s system You should be prompted for a password.
Ask your partner to create a/.rhostsfile and enter the name ofyour system on a line by itself Attempt to use therlogincommand
to access your partner’s system again
You should be able to use the rlogincommand to log directly in to your partner’s system now.
Trang 18Exercise Summary
Exercise Summary
?
!
Discussion – Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercises
● Experiences
● Interpretations
● Conclusions
● Applications
Trang 19Restricting Access to Data in Files
After you have established login restrictions, the next task is to controlaccess to the data on the systems Of course, some users need to beallowed to read various files; other users need permission to change anddelete files, and there are some files that no regular user should be able toaccess
Users who need to share files should be in the same group in the/etc/groupfile
Note – In general, you use file access permissions to determine which
users or groups have permission to read, modify, or delete files
Determining a User’s Group Membership
The groupscommand displays group memberships for the user
The command format for the groupscommand is:
groups [username]
For example, to see which groups you are a member of, perform thecommand:
# groups
other root bin sys adm uucp mail tty lp nuucp daemon
To list the groups to which a specific user is a member, use thegroupscommand with the user’s name, such as user5, as an argument
# groups user5
staff class sysadmin
Trang 20Restricting Access to Data in Files
Identifying a User Account
You use the idcommand to further identify users by listing their UIDnumber, user name, GID number, and group name This information isuseful when you are troubleshooting file access problems for users
Theidcommand also returns the EUID number and name, and the EGIDnumber and login name For example, if you logged in as user1and thenused the sucommand to becomeuser4, theidcommand reports theinformation for the user4account
The command format for the idcommand is:
uid=101(user1) gid=300(class) groups=14(sysadmin)
Changing File and Directory Ownership
You might need to use thechowncommand to change the original owner
of a file or directory to another user account on the system By default,only the rootuser can change the ownership of a file or directory
Note – Regular users can be given permission to use thechowncommand
to change the ownership of files and directories owned by them Edit the/etc/systemfile, and add the parameter:set rstchown=0(zero) Youneed to reboot the system for the changes to take effect
Trang 21The command format for the chowncommand is:
or
Note – The user must exist in the/etc/passwdfile
In this example, a user nameduser1created a file called file7
The ownerships of subdirectories can be changed in the same manner asfiles, as shown in the following examples:
In this example,user1owns a directory calleddir4
$ ls -lR dir4
dir4:
total 0
-rw-r r 1 user1 staff 0 Mar 19 16:06 file1
-rw-r r 1 user1 staff 0 Mar 19 16:06 file2
-rw-r r 1 user1 staff 0 Mar 19 16:06 file3
$
Trang 22Restricting Access to Data in Files
You would use thechowncommand with the-Roption to give ownership
of this directory and all of its contents (files and subdirectories) to user2
$ chown -R user2 dir4
$ ls -lR dir4
dir4:
total 0
-rw-r r 1 user2 staff 0 Mar 19 16:06 file1
-rw-r r 1 user2 staff 0 Mar 19 16:06 file2
-rw-r r 1 user2 staff 0 Mar 19 16:06 file3
$
The -Roption makes the chowncommand recursive It descends throughthe directory and any subdirectories, setting the ownership UID number
as it moves through the directory hierarchy
The chowncommand can also change both the individual and groupownership of a file or subdirectory simultaneously
$ chown user3:class file2
Additionally, you can use the -Roption to descend a directory hierarchyrecursively, changing individual and group ownership of the directoryand its contents simultaneously The following example demonstrates thiskind of change to the dir1 directory
-rw-r r 1 user3 class 0 Mar 19 16:18 file1
-rw-r r 1 user3 class 0 Mar 19 16:18 file2
Trang 23Changing File and Directory Group Membership
The chgrpcommand can be used by the rootuser or the file’s owner tochange the group ownership of files and directories to another group onthe system However, the file owner must also belong to the new group
Note – Regular users can be given permission to use thechgrpcommand
to change a file’s or directory’s group ownership to groups of which theuser is not a member Edit the/etc/systemfile, and add a parameter:set rstchown=0(zero) You must reboot the system for the changes totake effect
The command format for the chgrpcommand is:
or
Note – Thegroupnamemust exist in the/etc/groupfile
For example, thefile4file currently is a member of a group namedstaff
Trang 24Restricting Access to Data in Files
Using File Permissions
Three types of special permissions are available for executable files anddirectories These are:
● The Sticky Bit permission
The setuid Permission on Executable Files
When the set-user identification (setuid) permission is set on anexecutable file, a user or process that runs this executable file is grantedaccess based on the owner of the file (usually therootuser), instead of onwho started the executable
This setting allows a user to access files and directories that are typicallyaccessible only by the owner of the executable Note that many executableprograms must be run by the rootuser, or by sysorbinto work
properly
Use the lscommand to check thesetuidpermission
# ls -l /usr/bin/su
-r-sr-xr-x 1 root sys 22292 Jan 15 17:49 /usr/bin/su
The setuidpermission displays as an “s” in the owner’s execute field
Note – If a capital “S”appears in the owner’s execute field, it indicatesthat the setuidbit is on, and the execute bit “x” for the owner of the file
is off or denied
The rootuser and the owner can set thesetuidpermissions on anexecutable file by using thechmodcommand and the octal value 4###.For example:
Caution – Except for thosesetuidexecutable files that exist by default inthe Solaris OS, you should disallow the use ofsetuidprograms or at
Trang 25To search for files with setuidpermissions and to display their full pathnames, perform the command:
# find / -perm -4000
The setgid Permission on Executable Files
The set-group identification (setgid) permission is similar to thesetuidpermission, except that when the process runs, it runs as if it were amember of the same group in which the file is a member Also, access isgranted based on the permissions assigned to that group
For example, thewriteprogram has a setgidpermission that allowsusers to send messages to other users’ terminals
Use thelscommand to check thesetgid permission
# ls -l /usr/bin/write
-r-xr-sr-x 1 root tty 11484 Jan 15 17:55 /usr/bin/write
The setgidpermission displays as an “s” in the group’s execute field
Note – If a lowercase letter “l”appears in the group’s execute field, itindicates that the setgidbit is on, and the execute bit for the group is off
or denied This indicates that mandatory file and record locking occursduring file access for those programs that are written to request locking
The rootuser and the owner can setsetgidpermissions on anexecutable file by using thechmodcommand and the octal value2###.Here is the command-line format:
Trang 26Restricting Access to Data in Files
To create a shared directory, you must set the setgidbit using symbolicmode Here is the format for that mode:
To search for files with setgidpermissions and display their full pathnames, perform the command:
# find / -perm -2000
Sticky Bit Permission on Public Directories
The Sticky Bit is a special permission that protects the files within apublicly writable directory
If the directory permissions have the Sticky Bit set, a file can be deletedonly by the owner of the file, the owner of the directory, or by the rootuser This prevents a user from deleting other users’ files from publiclywritable directories
Use the lscommand to determine if a directory has the Sticky Bitpermission set
# ls -ld /tmp
The Sticky Bit displays as the letter “t” in the execute field for other
Note – If a capital “T”appears in the execute field for other, it indicatesthat the Sticky Bit is on; however, the execute bit is off or denied
The rootuser and the owner can set the Sticky Bit permission ondirectories by using the chmodcommand and the octal value1### Here
is the command-line format:
To search for directories that have Sticky Bit permissions and display theirfull path names, execute the following command:
# find / -type d -perm -1000
Note – For more detailed information on the Sticky Bit, execute the man
Trang 27Performing the Exercises
You have the option to complete any one of three versions of a lab Todecide which to choose, consult the following descriptions of the levels:
● Level 1 – This version of the lab provides the least amount ofguidance Each bulleted paragraph provides a task description, butyou must determine your own way of accomplishing each task
● Level 2 – This version of the lab provides more guidance Althougheach step describes what you should do, you must determine thecommands (and options) to input
● Level 3 – This version of the lab is the easiest to accomplish becauseeach step provides exactly what you should input to the system Thislevel also includes the task solutions for all three levels
Trang 28Exercise: Restricting Access to Data on Systems (Level 1)
Exercise: Restricting Access to Data on Systems (Level 1)
In this exercise, you complete the following tasks:
● Practice using commands related to user identity and file ownership
● Assign a user to the sysadmingroup
● Assign special file permissions to files
Preparation
Refer to lecture notes as necessary to perform the steps listed
Remote Lab Data Center (RLDC)
In addition to being able to use local classroom equipment, this lab hasalso been designed to use equipment located in a remote lab data center.Directions for accessing and using this resource can be found at:
http://fn1.brom.suned.com/
Ask your instructor for the particular SSH (Secure Shell) configuration fileyou should use to access the appropriate remote equipment for thisexercise
Tasks
Complete the following tasks:
● Using the commands presented in the lecture, identify the groups ofwhichrootis a member Compare the output from these commands.Add a user account calleduser11with theuseraddcommand.Verify the list of groups of whichuser11is a member Use theSolaris Management Console to create a new user account calleduser12 Adduser11to the sysadmingroup
(Steps 1–7 in the Level 2 lab)
● Log in as user11and create a new file calledfile1 Attempt tochange its user ownership Record error messages Change the groupownership offile1tosysadmin Switch the user identity to therootuser, and change ownership offile1touser12
Trang 29● Asuser11, create a new file called file2 Setsetuidand setgidpermissions onfile2 Remove all execute permissions fromfile2.Record the permissions listed as you change them.
(Steps 12–15 in the Level 2 lab)
● Record the permissions associated with the/tmpdirectory Asuser11, create a new file called test1in the /tmpdirectory Asuser12, attempt to remove this file Record the result Asuser11,create a new directory called dir1in/export/home/user11 Setpermissions for thedir1directory to777 Create a file calledtest2
in thedir1directory As user12attempt to remove this file Recordthe result Log in again as therootuser
(Steps 16–21 in the Level 2 lab)
Trang 30Exercise: Restricting Access to Data on Systems (Level 2)
Exercise: Restricting Access to Data on Systems (Level 2)
In this exercise, you complete the following tasks:
● Practice using commands related to user identity and file ownership
● Assign a user to the sysadmingroup
● Assign special file permissions to files
Preparation
Refer to lecture notes as necessary to perform the steps listed
Remote Lab Data Center (RLDC)
In addition to being able to use local classroom equipment, this lab hasalso been designed to use equipment located in a remote lab data center.Directions for accessing and using this resource can be found at:
http://fn1.brom.suned.com/
Ask your instructor for the particular SSH (Secure Shell) configuration fileyou should use to access the appropriate remote equipment for thisexercise
Task Summary
In this exercise, you accomplish the following:
● Using the commands groups,id, andid -a, identify the groups ofwhich therootuser is a member Compare the output from thesecommands Add a user account calleduser11with the useraddcommand Verify the list of groups of whichuser11is a member.Use the Solaris Management Console to create a new user accountcalleduser12 Add user11to thesysadmin group
● Log in as user11and create a new file calledfile1 Attempt tochange its user ownership Record error messages Change the groupownership offile1tosysadmin Switch your user identity to therootuser, and change ownership offile1touser12
Trang 31● Asuser11, create a new file called file2 Use thechmodcommand
to set setuidand setgid permissions onfile2 Use thechmodcommand to remove all execute permissions fromfile2 Record thepermissions listed as you change them
● Record the permissions associated with the/tmpdirectory Asuser11, create a new file called test1in the /tmpdirectory Asuser12, attempt to remove this file Record the result Asuser11,create a new directory called dir1in/export/home/user11 Setpermissions for thedir1directory to777 Create a file calledtest2
in thedir1directory As user12attempt to remove this file Recordthe result Log in again as therootuser
Tasks
Complete the following steps:
1 Log in as the rootuser, and open a terminal window Use thegroupscommand to display the groups of whichrootis a member.Record the list that thegroups command displays
2 Use theidcommand both without and then with the -aoption.Does the idcommand report the primary or a secondary group fortherootuser?
Compare the id -acommand output with that from the groupscommand in Step 1 What additional information does the id -acommand provide?
3 Use theuseraddcommand to create a new user account calleduser11with the following characteristics:
Primary Group: 10
Home Directory: /export/home/user11
Trang 32Exercise: Restricting Access to Data on Systems (Level 2)
5 Open a terminal window, and launch the Solaris Management
Console
6 Open the User Accounts tool Select Add User from the Actionmenu Then select From Template Create a user account from thefollowing information Exit the Solaris Management Console whenyou are finished
7 From a terminal window, use the usermodcommand to adduser11
to group14 Verify that the change took place Log out
8 Log in as user11 Open a terminal window, and use thetouchcommand to create a file calledfile1 Verify that user11and thegroupstaffown file1
9 Attempt to change the owner of file1fromuser11touser12.What error message displays?
10 Attempt to change the group ownership of file1fromstafftosysadmin Verify the change Did it work?
11 Switch your user identity to therootuser, and change the directory
to/export/home/user11 Change the owner offile1fromuser11
touser12 Verify the change Did it work? Exit yoursusession whenyou are finished
12 In thehomedirectory foruser11, use thetouchcommand to create afile calledfile2 Display and record the permissions associated withfile2
13 Use thechmodcommand to addsetuidand execute permissions tofile2 Display and record the permissions associated with file2.What changed?
14 Use thechmodcommand to addsetuidand setgidpermissions tofile2 Display and record the permissions associated with file2.What changed?
15 Use thechmodcommand with octal arguments to remove all executepermissions fromfile2 Display and record the permissions
associated withfile2 What changed?
Trang 3316 Change the directory to/(root), and list the permissions associatedwith the/tmpdirectory Is the Sticky Bit set on /tmp? Do all usershave write permission in the/tmpdirectory?
17 Change the directory to/tmp Create a file calledtest1in the/tmpdirectory Verify thatuser11and the groupstaffown test1andthat 644(rw-r r ) permissions apply Do they?
18 Switch your user identity touser12 In the /tmpdirectory, attempt
to remove the test1file What messages appear? Exit yoursusession when you are finished
19 In the homedirectory foruser11, create a directory calleddir1.Change permissions for thedir1directory to777 Create a file calledtest2below thedir1directory
20 Switch your user identity to user12 Attempt to remove the filetest2from thedir1directory Verify that the test2file no longerexists Exit yoursusession when you are finished
21 Log out, and log in again as the rootuser
Trang 34Exercise: Restricting Access to Data on Systems (Level 3)
Exercise: Restricting Access to Data on Systems (Level 3)
In this exercise, you complete the following tasks:
● Practice using commands related to user identity and file ownership
● Assign a user to the sysadmingroup
● Assign special file permissions to files
Preparation
Refer to lecture notes as necessary to perform the steps listed
Remote Lab Data Center (RLDC)
In addition to being able to use local classroom equipment, this lab hasalso been designed to use equipment located in a remote lab data center.Directions for accessing and using this resource can be found at:
http://fn1.brom.suned.com/
Ask your instructor for the particular SSH (Secure Shell) configuration fileyou should use to access the appropriate remote equipment for thisexercise
Task Summary
In this exercise, you accomplish the following:
● Using the commands groups,id, andid -a, identify the groups ofwhich therootuser is a member Compare the output from thesecommands Add a user account calleduser11by using theuseraddcommand Verify the list of groups of whichuser11is a member.Use the Solaris Management Console to create a new user accountcalleduser12 Add user11to thesysadmin group
● Log in as user11and create a new file calledfile1 Attempt tochange its user ownership Record error messages Change the groupownership offile1tosysadmin Switch your user identity to therootuser, and change ownership offile1touser12
Trang 35● Asuser11, create a new file called file2 Use thechmodcommand
to set setuidand setgid permissions onfile2 Use thechmodcommand to remove all execute permissions fromfile2 Record thepermissions listed as you change them
● Record the permissions associated with the/tmpdirectory Asuser11, create a new file called test1in the /tmpdirectory Asuser12, attempt to remove this file Record the result Asuser11,create a new directory called dir1in/export/home/user11 Setpermissions for thedir1directory to777 Create a file calledtest2
in thedir1directory As user12attempt to remove this file Recordthe result Log in again as therootuser
Tasks and Solutions
Complete the following steps:
1 Log in as the rootuser, and open a terminal window Use thegroupscommand to display the groups of whichrootis a member.Record the list that thegroups command displays
Theid -acommand reports group ID numbers in addition to group names for all groups.
Trang 36Exercise: Restricting Access to Data on Systems (Level 3)
3 Use the useraddcommand to create a new user calleduser11withthe following characteristics:
# useradd -u 1011 -g 10 -d /export/home/user11 -m -s /bin/ksh -c "SA200 User" user11
64 blocks
# passwd user11
New password: 123pass
Re-enter new password: 123pass
passwd (SYSTEM): passwd successfully changed for user11
7 From a terminal window, use the usermodcommand to adduser11
to group14 Verify that the change took place Log out
Home Directory: /export/home/user11