M ODULE : L INUX A DMINISTRATION AND S ECURITY

Lab1: Access Control

Alaeddine Jebnoun
INDP3-CySD
2019-2020

Part I
POSIX ACL

1 S TANDARD P ERMISSIONS
1. After creating the different files and directories

we can see that the defaults permissions for files and directories are:
• Directories: Readable by everyone (owner,group,others), writable by owner and
group, supports search by everyone (x for directories stand for search).
• Files: Readable by everyone, writable only by owner and group and nobody can
execute them.
To explain these default permissions we can type the command umask. This command
displays 0002 which mean that the default permissions for directories can be figured
out by calculating 777-002 which give 775 (rwx rwx r-x) and for files by calculating 666-
002=664 (rw- rw- r–)

1
2. To obtain the same results as in the lab we can execute the following commands:

To disable searching on files we should eliminate execution in the default permissions of

the directory:

3. To obtain the same results as the question 3

2 ACL FILE PERMISSIONS

1. The command that uses ACL file permissions to grant user1 extra access controls is men-
tioned in the picture below:

2. To copy all ACL permissions from file1 to file3 in one command we can write:

2
 3. user1 cannot read file3 because the mask is set to — that’s why no one can read, write or
execute file3.
To set effective permissions as indicated in the figure we can use the command:
$ chmod g= file3

Part II
SELinux

3 M ANAGE SEL INUX

1. The file /etc/selinux/config contain the current SELinux mode. Our mode is enforcing

To change the default mode to Permissive we can type:

2. To display SELinux Booleans related to httpd process we can use grep on the output of
getsebool

3. Displaying SELinux context label on /etc/passwd and /etc/hosts files

3
 After copying in the home directory we can see that the context label has been changed.

4. Displaying default values of SELinux booleans:

To change the value of SELinux boolean, we use the setsebool command:

5. To change the context of a file we use chcon command

To restore the context of a file we use restercon command

4
 4 SEL INUX AND K EY- BASED SSH AUTHENTICATION
First of all, we need to check that the ssh server and the ssh client are under the same network.
So we will ping the server from the client.

1. The ip address of our ssh server is 192.168.1.159 and for the client the address is 192.168.1.147

2. Now, we will use ssh-keygen to generate a pair of public/private keys

3. scp will be used in this step to copy the public key to the /.ssh/authorized_key in the
server machine

4. To check the SELinux Context of /.ssh/authorized_key, we type $ ls -Zd authorized_keys.

We can check the type is ssh_home_t (i don’t know why the user is not sshd)

5
5. To disable the use of password-based authentication we should modify the /etc/ssh/sshd_config
file.

6. For my case this is didn’t work and i couldn’t find a solution

7. To change the context of authorized_keys we use chcon command

The SSH access will be denied by SELinux because we are no longer able to enter the
authorized_keys folder.
When we restore the default context we are able again to connect

6
Part III
Firewalld and Port Security

5 F IREWALLD
1. The default zone is public.

2. To check to the services allowed by default in the default zone by firewalld:

3. To deny the ssh service

Now we reload and check the services again

4. Since we disabled the SSH service, trying to remotely access via SSH fails.

6 R ICH RULES AND P ORT FORWARDING WITCH FIREWALLD