Uploaded image for project: 'Product Technical Learning'
  1. Product Technical Learning
  2. PTL-2554

RH124-892: RHT1884163 - ch17s03 LAB grading succeed following instructions but does not meet exercise requirements

XMLWordPrintable

    • ROLE
    • en-US (English)

      URL: https://rol.redhat.com/rol/app/courses/rh124-9.0/pages/ch17s03
      Reporter RHNID: k.kirill.mamaev
      Section: 3 - Lab: Manage Users and Groups, Permissions, and Processes
      Language: en-US (English)|
      Workaround:

      Description: I think there's an issue with one of the tasks from here:
      https://rol.redhat.com/rol/app/courses/rh124-9.0/pages/ch17s03

      It says:
      "Configure the /home/student/grading/review2 directory so that the database group owns any file that is created in this directory, irrespective of which user created the file. Configure the permissions on the directory to allow members of the database group and the student user to access the directory and to create contents in it. All other users should have read and execute permissions on the directory."

      OK, let's try following the proposed solution:

      [student@serverb ~]$ sudo -i
      [sudo] password for student:
      [root@serverb ~]# groupadd -g 50000 database
      [root@serverb ~]# useradd -G database dbadmin1
      [root@serverb ~]# passwd dbadmin1
      Changing password for user dbadmin1.
      New password:
      BAD PASSWORD: The password is shorter than 8 characters
      Retype new password:
      passwd: all authentication tokens updated successfully.
      [root@serverb ~]# chage -d 0 dbadmin1
      [root@serverb ~]# chage -m 10 dbadmin1
      [root@serverb ~]# chage -M 30 dbadmin1
      [root@serverb ~]# echo "dbadmin1 ALL=(ALL) ALL" > /etc/sudoers.d/dbadmin1
      [root@serverb ~]# echo "umask 007" >> /home/dbadmin1/.bashrc
      [root@serverb ~]# mkdir -p /home/student/grading/review2
      [root@serverb ~]# chown dbadmin1:database /home/student/grading/review2
      [root@serverb ~]# chmod g+s /home/student/grading/review2
      [root@serverb ~]# chmod 775 /home/student/grading/review2
      [root@serverb ~]# chmod o+t /home/student/grading/review2
      [root@serverb ~]# ll -ld /home/student/grading/review2
      drwxrwsr-t. 2 dbadmin1 database 6 Jan 13 05:24 /home/student/grading/review2

      When grading the LAB from Workstation I get:

      Overall lab grade: PASS

      But let's have a closer look at this task:

      Configure the permissions on the directory to allow members of the database group and the student user to access the directory and to create contents in it.

      The proposed solution is simply to put 3755 on that directory. Let's try confirming it with some practice:

      Let's create a foouser and set database group to be primary group for this account:

      [root@serverb ~]# useradd -g database foouser
      [root@serverb ~]# su - foouser
      [foouser@serverb ~]$ id
      uid=1003(foouser) gid=50000(database) groups=50000(database) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      [foouser@serverb ~]$ ls -lah /home/student/grading/review2
      ls: cannot access '/home/student/grading/review2': Permission denied
      [foouser@serverb ~]$ cd /home/student/grading/review2
      -bash: cd: /home/student/grading/review2: Permission denied
      [foouser@serverb ~]$ touch /home/student/grading/review2/testfile
      touch: cannot touch '/home/student/grading/review2/testfile': Permission denied

      As you can see there's an issue. And the problem is this:

      [root@serverb ~]# tree -ugp /home
      /home
      [few lines ommited]
      └── [drwx------ student student ] student
      └── [drwxr-xr-x student student ] grading
      └── [drwxrwsr-t dbadmin1 database] review2

      foouser can't traverse any further/deeper down through /home/student since it's permission is 700

      And the second issue is: let's try checking if student user has access to it as the task states.

      [root@serverb ~]# su - student
      Last login: Fri Jan 13 05:25:26 EST 2023 from 172.25.250.9 on pts/1
      [student@serverb review2]$ id
      uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      [student@serverb ~]$ cd
      [student@serverb ~]$ ll
      total 0
      drwxr-xr-x. 3 student student 21 Jan 13 05:24 grading
      [student@serverb ~]$ cd grading/
      [student@serverb grading]$ ll
      total 0
      drwxrwsr-t. 2 dbadmin1 database 6 Jan 13 05:24 review2
      [student@serverb grading]$ ls -lah /home/student/grading/review2
      total 0
      drwxrwsr-t. 2 dbadmin1 database 6 Jan 13 05:24 .
      drwxr-xr-x. 3 student student 21 Jan 13 05:24 ..
      [student@serverb grading]$ cd /home/student/grading/review2
      [student@serverb review2]$ touch testfile
      touch: cannot touch 'testfile': Permission denied

      OK we can read the contents of the dir, we can cd there, but it's not writable since student is not a member of database group and thus the OTHERS permissions are checked:

      drwxrwsr-t.

      And OTHERS don't have a write permission to it.

      So what I'm trying to say is that lab solution is not solving the problem though grading says PASS. I think the only way it's possible to solve this problem is to use setfacl which is not a part RH124 course.

      Thanks.

              glsbugs-hybridcloud@redhat.com PTL - RHEL Team
              rcasarru@redhat.com Roberto Casarrubios (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: