RHCSA Prep course exam

Can somebody help me. I configure ldap, ldap users can login to system, they have home catalogs in /home/guests but i have question. Why root user cannot acces /home/guests/ldapuser1 folder. As ldapuser i can create, modify itp files in that catalog but root user can't
  • post-author-pic
    Ali M
    11-08-2018

    Hi Tomasz,


    Could you please provide the output of the following command:
    ls -ltr /home/guests/ldapuser1

    Also, of the following command using root user:
    visudo
    or
    cat /etc/sudoers


  • post-author-pic
    Tomasz C
    11-08-2018

    first terminal:

    [ldapuser1@ip-10-0-0-116 home]$ ls -ltr /home/guests/ldapuser1/

    total 0

    -rw-rw-r-- 1 ldapuser1 ldapuser1 0 Nov 8 07:35 file

    [ldapuser1@ip-10-0-0-116 ~]$ touch file

    [ldapuser1@ip-10-0-0-116 ~]$ ls -al

    [ldapuser1@ip-10-0-0-116 ~]$ touch file

    [ldapuser1@ip-10-0-0-116 ~]$ ls -al

    -rw-rw-r-- 1 ldapuser1 ldapuser1 0 Nov 8 07:35 file

    [ldapuser1@ip-10-0-0-116 ~]$


    [ldapuser1@ip-10-0-0-116 guests]$ ls -al

    total 0

    drwxr-xr-x 3 root root 0 Nov 8 07:35 .

    drwxr-xr-x. 5 root root 51 Nov 8 07:35 ..

    drwx------ 5 ldapuser1 ldapuser1 132 Nov 8 07:35 ldapuser1


    [ldapuser1@ip-10-0-0-116 home]$ ls -al

    total 8

    drwxr-xr-x. 5 root root 51 Nov 8 07:35 .

    dr-xr-xr-x. 20 root root 288 Nov 8 07:35 ..

    drwx------. 16 ec2-user ec2-user 4096 May 23 2017 ec2-user

    drwxr-xr-x 3 root root 0 Nov 8 07:35 guests

    drwx--x---+ 17 vncuser vncuser 4096 May 23 2017 vncuser


    on second console i try as root acces ldapuser1 home folder:


    [root@ip-10-0-0-116 ~]# cd /home/guests/ldapuser1/

    bash: cd: /home/guests/ldapuser1/: Permission denied


    [root@ip-10-0-0-116 ~]# ls -ltr /home/guests/ldapuser1

    ls: cannot open directory /home/guests/ldapuser1: Permission denied


    suoders


    [root@ip-10-0-0-116 ~]# cat /etc/sudoers

    ## Sudoers allows particular users to run various commands as

    ## the root user, without needing the root password.

    ##

    ## Examples are provided at the bottom of the file for collections

    ## of related commands, which can then be delegated out to particular

    ## users or groups.

    ##

    ## This file must be edited with the 'visudo' command.

    ## Host Aliases

    ## Groups of machines. You may prefer to use hostnames (perhaps using

    ## wildcards for entire domains) or IP addresses instead.

    # Host_Alias FILESERVERS = fs1, fs2

    # Host_Alias MAILSERVERS = smtp, smtp2

    ## User Aliases

    ## These aren't often necessary, as you can use regular groups

    ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

    ## rather than USERALIAS

    # User_Alias ADMINS = jsmith, mikem

    ## Command Aliases

    ## These are groups of related commands...

    ## Networking

    # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

    ## Installation and management of software

    # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

    ## Services

    # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

    ## Updating the locate database

    # Cmnd_Alias LOCATE = /usr/bin/updatedb

    ## Storage

    # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

    ## Delegating permissions

    # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

    ## Processes

    # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

    ## Drivers

    # Cmnd_Alias DRIVERS = /sbin/modprobe

    # Defaults specification

    #

    # Refuse to run if unable to disable echo on the tty.

    #

    Defaults !visiblepw

    #

    # Preserving HOME has security implications since many programs

    # use it when searching for configuration files. Note that HOME

    # is already set when the the env_reset option is enabled, so

    # this option is only effective for configurations where either

    # env_reset is disabled or HOME is present in the env_keep list.

    #

    Defaults always_set_home

    Defaults env_reset

    Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

    Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

    Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

    Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

    Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

    #

    # Adding HOME to env_keep may enable a user to run unrestricted

    # commands via sudo.

    #

    # Defaults env_keep += "HOME"

    Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

    ## Next comes the main part: which users can run what software on

    ## which machines (the sudoers file can be shared between multiple

    ## systems).

    ## Syntax:

    ##

    ## user MACHINE=COMMANDS

    ##

    ## The COMMANDS section may have other options added to it.

    ##

    ## Allow root to run any commands anywhere

    root ALL=(ALL) ALL

    ## Allows members of the 'sys' group to run networking, software,

    ## service management apps and more.

    # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

    ## Allows people in group wheel to run all commands

    %wheel ALL=(ALL) ALL

    ## Same thing without a password

    # %wheel ALL=(ALL) NOPASSWD: ALL

    ## Allows members of the users group to mount and unmount the

    ## cdrom as root

    # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

    ## Allows members of the users group to shutdown this system

    # %users localhost=/sbin/shutdown -h now

    ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

    #includedir /etc/sudoers.d

    ec2-user ALL=(ALL) NOPASSWD: ALL

    [root@ip-10-0-0-116 ~]#









  • post-author-pic
    Ali M
    11-08-2018

    Thanks Tomasz. Looking at the sudoers file, it seems root's permission are the default ones, so it should have complete access:

    ## Allow root to run any commands anywhere

    root ALL=(ALL) ALL


    Could you run the following command and add user root to ldapuser1 group as well and then try out those ls or touch  type of commands in /home/guests/ldapuser1 via root?

    usermod -a -G ldapuser1 root

Looking For Team Training?

Learn More