Chapter 15 Flashcards
Applying Ownership and Permissions
Describe the basic level of file and directory security available in Linux.
Linux provides basic file and directory security by utilizing three categories of read, write, and execute permissions. The file or directory owner is assigned one set of permissions, the primary group is assigned another set of permissions, and everyone else on the Linux system is assigned a third set of permissions. You can set the permissions in the three categories separately to control the amount of access the group members and others on the Linux system have.
Explain how to modify the permissions assigned to a file or directory.
Linux uses the chmod command to assign permissions to files and directories. The chmod command uses two separate modes to assign permissions: symbolic mode and octal mode. Symbolic mode uses a single letter to identify the category for the owner (u), group (g), everyone else (o), and all (a). Following that, a plus sign, minus sign, or equal sign is used to indicate to add, remove, or set the permissions. The permissions are also indicated by a single letter for read (r), write (w), or execute (x) permissions. In octal mode an octal value is used to represent the three permissions for each category. The three octal values define the full set of permissions assigned to the file or directory.
Describe how Linux uses an access control list (ACL) to provide additional protection to files and directories.
Linux allows you to set additional permissions for multiple users and groups to each file and directory. The setfacl command provides an interface for you to define read, write, and execute permissions for users or additional groups outside the owner and primary group assigned to the file or directory. The getfacl command allows you to view the additional permissions.
Describe how Linux uses context-based permissions for further file and directory security.
Packages such as SELinux (for Red Hat–based distributions) and AppArmor (for Debian-based distributions) provide role-based mandatory access control (RBMAC) to enforce security permissions that override what the file or directory owner sets. The system administrator can define policies (or profiles in AppArmor) that are evaluated by the Linux kernel after any standard permissions or ACL rules are applied. You can fine-tune these permissions to control exactly what type of access the system allows to each individual file or directory.
What permissions can be applied to a file or directory? (Choose three.)
Read Write Delete Modify Execute
A, B, E. The basic Linux security permissions that you can set are read, write, and execute access, so options A, B, and E are correct. To delete a file a user must have write access because there is no delete access permission, so option C is incorrect. To modify a file a user must also have write access because there is no specific modify access permissions, so option D is incorrect.
What user categories can be assigned permissions in Linux? (Choose three.)
Root Owner Group Others Department
B, C, D. The three categories Linux uses for assigning permissions are the owner, the group, and all others on the system; thus answers B, C, and D are correct. The root user account already has full permissions on all files and folders, so it’s not specified as a separate category, so option A is incorrect. Linux doesn’t use a department category because departments must be defined as groups, so option E is also incorrect.
Sam needs to allow standard users to run an application with root privileges. What special permissions bit should she apply to the application file?
The sticky bit The SUID bit The GUID bit Execute Write
B. The Set User ID bit (SUID) allows all users to run applications as the root user account, so option B is correct. The sticky bit prevents users from deleting files for which they have group permissions but don’t own. It doesn’t allow users to run the file with root privileges, so option A is incorrect. The GUID bit directs Linux to set all files in a directory with the directory’s group assignment and not that of the user account creating the file. However, it doesn’t allow users to run files as the root user account, so option C is incorrect. The execute and write bits set those permissions for the standard category of users, groups, or others. They don’t allow users to run files as the root user account, so both options D and E are incorrect.
What are the equivalent symbolic mode permissions for the octal mode value of 644?
rwxrw-r-- -w--w--w- -w-r--r-- rwxrw-rw- rw-r—r--
E. The octal mode permission 644 represents read/write for the owner and read only for the group and other categories. In symbolic mode that would be rw-r–r–, so option E is correct. Option A, rwxrw-r–, would be octal mode 764, so it is incorrect. Option B, -w–w–w-, would be octal mode 222, so it is incorrect. Option C, -w-r–r–, would be octal mode 244, so it is also incorrect. Option D, rwxrw-rw-, would be octal mode 766, so it too is incorrect.
Fred was assigned the task of creating a new group on the company Linux server and now needs to assign permissions for that group to files and directories. What Linux utility should he use to change the group assigned to the files and directories? (Choose all that apply.)
chgrp chown chmod chage ulimit
A, B. The chgrp command is used to change the group assigned to a file or directory; however, you can also specify a new group with the chown command to change the owner and the group at the same time, so both options A and B are correct. The chmod command changes the permissions assigned to a file or directory but not the group, so option C is incorrect. The chage command is used to control the password of user accounts, not the group assigned to a file or directory, so option D is incorrect. The ulimit command is used to restrict the system resources a user account can use, not to set t
Sally needs to view the ACL permissions assigned to a file on her Linux server. What command should she use?
ls -Z ls -l getfacl chmod setfacl
C. The getfacl command retrieves all of the ACL permissions assigned to a file or directory, so option C is correct. The -Z option added to the ls command displays SELinux context settings, not ACL permissions, so option A is incorrect. The -l option of the ls command displays the standard Linux file permissions, not the ACL permissions, so option B is incorrect. The chmod command allows you to change the standard permissions assigned to a file or directory, not display the ACL permissions, so option D is incorrect. The setfacl command allows you to change the ACL permissions for a file or directory, but not view them, so option E is incorrect.
What SELinux mode tracks policy violations but doesn’t enforce them?
Disabled Enforcing Targeted Permissive MLS
D. The permissive mode in SELinux logs policy violations but doesn’t prevent the action from happening, so option D is correct. The disabled mode allows all actions to happen but doesn’t log them, so option A is incorrect. The enforcing mode logs policy violations and enforces them, so option B is incorrect. Options C and E, targeted and MLS, are not SELinux modes but rather define what types of daemons to monitor; they are both incorrect.
Ted is tasked with documenting the SELinux security context assigned to a group of files in a directory. What command should he use?
getsebool setsebool ls -Z getenforce ls -l
C. The -Z option of the ls command displays the SELinux security context assigned to a file or directory, so option C is correct. The getsebool command displays the current setting for a policy rule, not the security context of files, so option A is incorrect. The setsebool command enables or disables a policy rule, and it doesn’t display the security context of a file, so option B is incorrect. The getenforce command displays the current SELinux mode, not the security context of files, so option D is incorrect. The -l option of the ls command displays the standard permissions assigned to a file, not the SELinux security context of the file, so option E is incorrect.
Mary is required to log into her Linux system as a standard user but needs to run an application with administrator privileges. What commands can she use to do that? (Choose all that apply.)
su wheel visudo sudo adm
A, D. The su command allows you to run an application as another user, including the root user account, and the sudo command allows you to run an application as the root user account, so options A and D are both correct. Both wheel and adm are user groups that provide administrator privileges, but they aren’t commands that run applications themselves, so options B and E are both incorrect. The visudo command opens an editor to edit the sudoers file so you can edit it, but it can’t run other applications, so option C is incorrect.
What user groups are commonly used to assign privileges for group members to run applications as the administrator? (Choose two.)
lp adm wheel sudo su
C, D. Red Hat–based distributions use the wheel group and Debian-based distributions use the sudo group to allow members to gain administrator privileges on the system to run applications, so options C and D are correct. The lp group is used to grant access to system printers, not run applications with administrator privileges, so option A is incorrect. The adm group is commonly used in Debian-based systems to grant access to log files, but not run applications with administrator privileges, so option B is incorrect. Option E, su, is a command-line command for running commands as another user, not a user group, so it is incorrect.
