Part I: Configure the ACL of a Directory To configure the ACL of a directory, do the following:
1. If necessary, log in to your da1 server as geeko with a password of novell.
2. Open a terminal window and su - to root using a password of novell.
3. Change to the directory /tmp by entering cd /tmp
4. Create a test directory by entering mkdir acl_test
5. Limit the file system permissions for the directory by entering chmod 700 acl_test
6. Open a second terminal window as the geeko user.
7. Try changing to the test directory by entering cd /tmp/acl_test/
The command fails, because geeko (who is not the owner of the directory) has no permission to read and change into the directory.
8. Switch to the root terminal session.
9. Display the minimum ACL of the directory by entering
getfacl acl_test
It should should show the rwx permissions for the owning user and no permission for anyone else.
Administer User Access and Security
setfacl -m u:geeko:rwx acl_test/
11. Switch to the geeko terminal and try to access the directory again by entering cd /tmp/acl_test
Because of the extended ACL, you can now change into the directory.
12. Switch to the root terminal and display the extended ACL of the directory by entering
getfacl /tmp/acl_test/
It should show the additional permissions for the named user geeko. Part II: Configure a Default ACL for a Directory
To configure a default ACL for a directory, do the following:
1. In the root terminal window, change to the directory acl_test by entering cd /tmp/acl_test
2. Create a file by entering
touch without_default_acl
3. Display the ACL of the new file by entering getfacl without_default_acl
Because there is no default ACL for the parent directory, the new file does not have an extended ACL either.
4. Set a default ACL for the acl_test directory by entering
setfacl -d -m u:geeko:rw /tmp/acl_test/
5. Create another test file by entering touch with_default_acl
6. Display the ACL of the new file by entering getfacl with_default_acl
Because this file was created after the default ACL of the parent directory was set, the new file inherited the ACL. It has an entry for the named user geeko. Part III: Delete an ACL
To delete ACL, do the following:
1. In the root terminal window, remove the ACL by entering setfacl -x u:geeko with_default_acl
2. Display the ACL again by entering
getfacl with_default_acl
As you can see, the ACL for the user geeko has been removed. If there were ACLs for other users, they would remain unaffected.
3. View the file attributes of with_default_acl by entering ls -l with_default_acl
The + sign signifies that there are still extended attributes (such as the mask) set for the file.
4. Remove all ACLs by entering
setfacl -b with_default_acl
5. Display the ACL again by entering the following commands:
getfacl with_default_acl ls -l with_default_acl Notice that the ACL has been removed.
6. Close all terminal windows.
Administer User Access and Security
Exercise 11-5 Configure SuSEfirewall2
In this exercise, you practice configuring the firewall on SUSE Linux Enterprise Server 11 SP2.
In this exercise, you practice configuring SuSEfirewall2 on your da1 server. You install and configure the Apache Web Server on da1. Then you enable the firewall on da1 and configure it to allow Web server traffic.
Complete the following:
1. If necessary, log in to da1 as geeko with a password of novell.
2. Install the Apache Web Server on da1 by doing the following:
a. Select Computer > YaST.
b. When prompted, enter a password of novell.
c. Select Software > Software Management.
d. From the View drop-down list, select Patterns.
e. Select the Web and LAMP Server pattern.
f. Click Accept.
g. In the Automatic Changes screen, click Continue.
h. If prompted, insert your SLES 11 SP2 installation DVD and click Retry. Wait while the packages are installed.
i. When done, close YaST.
j. Open a terminal session.
k. Switch to root by entering su - at the shell prompt followed by a password of novell.
l. Start Apache on da1 by entering rcapache2 start at the shell prompt.
3. Test the Apache Web Server on da1 by doing the following:
a. Select Computer > Firefox.
b. In the Address field, enter http://da1.digitalairlines.com. You should see a page saying “It works!”.
c. Close Firefox.
4. Enable SuSEfirewall2 on da1 by doing the following:
a. Start YaST again on da1.
b. Select Security and Users > Firewall.
c. In the Start-Up screen, verify that mark Enable Firewall Automatic Starting is marked.
d. (Conditional) if your firewall isn’t currently running, select Start Firewall
Now.
e. Click Next.
f. Review the settings on the Summary screen, then click Finish.
g. Close YaST.
5. Test the firewall configuration from your da-host workstation by doing the following:
a. Start Firefox on da-host.
b. In the Address field, enter http://da1.digitalairlines.com.
The server should fail to respond because the firewall on da1 is blocking all network traffic.
6. Configure the firewall on DA1 to allow Web server traffic by doing the following:
a. Switch to your DA1 virtual server.
b. Start YaST and select Security and Users > Firewall.
c. Select Allowed Services.
d. From the Service to Allow drop-down list, select HTTP Server; then click
Add.
e. From the Service to Allow drop-down list, select HTTPS Server; then click
Add.
f. Click Next.
g. Click Finish.
h. Close YaST.
7. Test the new firewall configuration by doing the following:
a. Switch to your da-host workstation.
b. In the Firefox window, click the Reload icon.
The server should now respond because the firewall on da1 is configured to allow HTTP and HTTPS traffic.
8. Close all open windows on both systems.