Review Questions and Answers

1. 

Examine the following sequence of executed commands and system responses:

 $ whoami user1 $ su passmgr Password: Roles can only be assumed by authorized users su: Sorry $ 

Which of the following statements best describes the results of the command sequence?

  1. The passmgr role has not been configured by the administrator or does not exist.

  2. The user1 has not been authorized to use the passmgr role.

  3. The wrong password was supplied for the passmgr role.

  4. Someone else is already logged in as the passmgr role.

  5. You cannot su to a role; you must log in as a role from the login screen.

b. if you try to use a role that you do not have access to, you will receive this error message. if the role did not exist, you would receive a message that the id was unknown. supplying an incorrect password will result in only su: sorry . you must use su to assume a role.

2. 

You are the Solaris administrator for a small group of workstations. Because of your current workload, you decide to allow all users to have administrative rights on their workstations. However, you still want them logging in under their own user account. Which of the following solutions meets your needs, without directly granting users access to the superuser account? (Choose all that apply.)

  1. Instruct all users to log in as root and give them the root password.

  2. Add a line to the policy.conf file that reads AUTHS_GRANTED=solaris.*.

  3. Add a line to the user_attr database that reads AUTHS_GRANTED=solaris.*.

  4. Add a line to the prof_attr database that reads PROFS_GRANTED=System Administrator.

  5. Add a line to the policy.conf file that reads PROFS_GRANTED=Primary Administrator.

b, e. by giving all users the root username and password, you are giving them direct access to the root user account. instead, either add an authorization for all users in policy.conf for solaris.* , or grant a profile of primary administrator. neither the user_attr nor the prof_attr databases use the keyword = value pairing used in the answers.

3. 

You have just created a junior administrator role on your Solaris computer. You are going to assign the role, named jradmin, to a user named abradley. Which of the following commands do you use to perform this task?

  1. usermod -R jradmin abradley

  2. usermod -R abradley jradmin

  3. rolemod -R jradmin abradley

  4. rolemod -R abradley jradmin

a. users are associated with roles through the usermod command, not the rolemod command. the proper syntax is usermod -r rolename username .

4. 

Here is an excerpt from the user_attr database:

 root::::auths=solaris.*,solaris.grant;profiles=All lp::::profiles=Printer Management adm::::profiles=Log Management jradmin::::type=role;auths=solaris.admin.*,solaris.profmgr.*;profiles=All cmalcolm::::type=normal;roles=jradmin 

Based on this information, which of the following statements are true? (Choose all that apply.)

  1. jradmin has full administrative powers on this Solaris computer.

  2. Anyone logging in as cmalcolm can use same authorizations and profiles as jradmin.

  3. jradmin is a user account on this Solaris computer.

  4. cmalcolm is a user account on this Solaris computer.

b, d. the jradmin account is a role, not a user account. this is identified by the type=role key pair. the cmalcolm account is a user account ( type=normal ), and has been authorized to use the jradmin role. therefore, anyone logging in as cmalcolm (and has the password for jradmin ) can assume jradmin 's role.

5. 

Which of the following RBAC-related files contain information about both authorizations and profiles? (Choose all that apply.)

  1. user_attr

  2. auth_attr

  3. prof_attr

  4. exec_attr

  5. policy.conf

a, e. the user_attr file contains user and role accounts, and can contain associations for both authorizations and profiles. the auth_attr file contains only authorizations, the prof_attr file contains only profiles, and exec_attr contains execution attributes. authorizations and profiles can be assigned to all users in the policy.conf file.

6. 

Examine the following command sequence:

 # ls -l -rw-rw-r--  1 qdocter  author       880 Nov 29 13:46 doc1 -rwxr-----  1 qdocter  author       880 Nov 29 14:04 file1 # setfacl -s u::rwx,g::r--,o:---,m:r--,u:3486:rw- doc1 

Which of the following statements are true regarding the results of the command sequence? (Choose all that apply.)

  1. The qdocter user will still have only read and write permissions on doc1.

  2. The author group will still have only read and write permissions on doc1.

  3. Anyone not belonging to the author group will not have any access to doc1.

  4. The 3486 user will have read and write permissions to doc1.

  5. The qdocter user will have read, write, and execute permissions on doc1.

c, e. the setfacl command set an access control list on the file doc1 . when you use setfacl , the existing permissions on the file are replaced by the new permissions set by the acl. therefore, the user ( owner ) will have rwx , as specified by u::rwx . the author group will be granted read-only access ( g::r-- ), and everyone else will have no access ( o:--- ). the 3486 user will have only read permission, as the mask is set to r-- , limiting the user to read-only, even though they were explicitly granted read and write.

7. 

You are configuring RBAC for your Solaris server. Instead of using the command line, you want to manually edit the RBAC database files. Which of the following files is not located in the /etc/security directory?

  1. user_attr

  2. auth_attr

  3. prof_attr

  4. exec_attr

  5. policy.conf

a. the full path for the user database is /etc/user_attr . all of the other files listed are in /etc/security .

8. 

You are the Solaris security administrator for your network. You are going to configure an Access Control List on a file that several users need access to. Which of the following statements are true regarding setting the ACL? (Choose all that apply.)

  1. Setting an ACL will override any existing permissions on the file.

  2. To display any of the permissions set by the setfacl command, you must use the getfacl command.

  3. The ACL will enable you to assign individual permissions to each user needing access to the file.

  4. To create the ACL on a file that does not have one, you must use the setfacl -s command.

a, c, d. when you enable an acl, it will override any existing permissions on the file. acls are set with the setfacl -s command and enable you to set separate permissions for each user or group that needs access to the file. using the ls -l command will still display permissions set for the owner and group (which are set in the acl); you don't need to run getfacl . however, to see the permissions for the additional users, you will need to use getfacl .

9. 

Examine the following information:

 # getfacl doc1 # file: doc1 # owner: qdocter # group: author user::rwx user:3856:rw-       #effective:rw- group::r--          #effective:r-- mask:r-- other:--- 

One of these lines has been modified from the real getfacl output. Which piece of information from this simulated getfacl output must be incorrect, based on the rules for ACLs?

  1. user::rwx

  2. user:3856:rw- #effective:rw-

  3. group::r-- #effective:r--

  4. mask:r--

  5. other:---

b. because the mask is set to r-- , other users can have no more than read access. therefore, the effective rights for user 3856 cannot be rw- .

10. 

You have created an Access Control List on a file named abcfile. Now, you want to delete the Access Control List. Which command do you execute to perform this task?

  1. setfacl -s abcfile

  2. setfacl -r abcfile

  3. setfacl -d abcfile

  4. setfacl -m none abcfile

c. acls are deleted with the setfacl -d command. the -s switch sets a new acl (and requires parameters to configure the acl), the -r switch recalculates the mask, and -m modifies the acl, although none is not a valid option.

11. 

You are the Solaris administrator for your network. You want to grant one rights policy to all users on the network. Which file can you edit to accomplish this in one step?

  1. user_attr

  2. prof_attr

  3. auth_attr

  4. policy.conf

d. authorizations or profiles assigned in the policy.conf file affect all users who use the computer.

12. 

Here is an excerpt from the user_attr database:

 root::::auths=solaris.*,solaris.grant;profiles=All lp::::profiles=Printer Management adm::::profiles=Log Management jradmin::::type=role;auths=solaris.admin.*,solaris.profmgr.*;profiles=All jgebelt::::type=normal;roles=admin2,jradmin;auths=solaris.jobs.* admin2::::type=role;auths=solaris.* 

Based on this information, which of the following statements are true? (Choose all that apply.)

  1. admin2 has full administrative powers on this Solaris computer.

  2. jradmin has full administrative powers on this Solaris computer.

  3. The admin2 account has more power than the jradmin account.

  4. The jgebelt user can use su to assume the role of admin2, and then while logged in as admin2, use su to assume jradmin.

a, b, c. the admin2 account has been granted the solaris.* authorization, meaning that the role has access to all administrative functions of solaris. it's also more powerful than the jradmin role, which has many, but not all, administrative powers. the jgebelt user can assume the role of either admin account, but the admin2 account does not have authorization to assume jradmin . when someone uses su to assume the role of another user or role, all of their security settings become those of the new user or role.

13. 

You are the security administrator for your network. A file named app1 has an existing Access Control List. You want to change the ACL to include additional users, while keeping the existing settings. Which of the following commands would you execute to perform this task?

  1. setfacl -s app1

  2. setfacl -m app1

  3. setfacl -d app1

  4. setfacl -r app1

b. the setfacl -m command is used to modify an existing acl. the -s switch replaces any current settings. the -r switch recalculates the mask, and -d deletes the acl.

14. 

Here is an excerpt from one of the RBAC databases:

 Software Installation:suser:cmd:::/usr/bin/pkginfo:uid=0 File System Management:suser:cmd:::/usr/lib/fs/autofs/automount:euid=0 Object Access Management:suser:cmd:::/usr/bin/getfacl:euid=0 

Which one of the databases is this data from?

  1. user_attr

  2. auth_attr

  3. prof_attr

  4. exec_attr

  5. policy.conf

d. the information presented is a list of three execution attributes. they are the only database entries to contain uid or euid entries. these are stored in the /etc/security/exec_attr database.

15. 

Examine the following information, which is the complete output from an executed command (which is blacked out for obvious reasons):

Based on this information, which of the following statements must be true? (Choose all that apply.)

  1. The command executed was getfacl -d.

  2. The output displayed is for a directory.

  3. Because the mask value is set to rw-, the group permissions should be at least rw-.

  4. Because this output displays only default settings, the ACL is not enabled on this file.

a, b. this output is from a getfacl -d command run on a directory. directories have default settings, but files do not. also, the mask limits the maximum permissions for users other than the owner (and the owner's group), not the minimum permissions. after an acl is created, it is enabled by default.

16. 

Examine the following information:

 # getfacl doc1 # file: doc1 # owner: jgebelt # group: cpuguru user::rwx user:3856:rw-      #effective:rw- group::r--         #effective:r-- mask:rw- other:--- 

Which pof the following commands did you execute to configure this ACL?

  1. setfacl -s u:7,g:4,o:0,m:6,u:3856:6 doc1

  2. setfacl -s u:3856:6,g::4,o:0,m:6 doc1

  3. setfacl -s u::7,g::4,o:0,m:6,u:3856:6 doc1

  4. setfacl -s u::7,g::6,o:0,m:4,u:3856:6 doc1

c. to set an acl, you must use the setfacl -s command. the third answer uses the correct syntax for setting the acl for the doc1 file.

17. 

You are the senior Solaris administrator for your company. One of the junior administrators has been assigned the task of granting 10 users access to a project file. Each of the users will need read and write access to the file. The users are from several departments, and for logistical reasons (potential security difficulties), you have instructed the junior administrator not to create a group for the individuals involved in the project. Now he is confused as to how to best apply security on the file. What do you instruct him to do?

  1. Create an Access Control List for each user that needs access to the file. Within each ACL, set the appropriate permissions for an individual user.

  2. Create one Access Control List for the file and add each user to the ACL. In the ACL, grant each user the appropriate permissions to the file.

  3. Create a role and give the role ownership of the file, including read and write permissions. Give each user the role's username and password, and instruct them to use the role to access the file.

  4. Create 10 copies of the file, each in the same directory. Make each user the owner of one copy. Grant the users the appropriate permissions to their file. Instruct the users to use their file only. Create a batch job to concatenate the files into one master project file at midnight each night.

b. you can create only one acl per file, but you can list as many individual users in an acl as you want to. this is by far the best (and only plausible) solution presented.

18. 

You are the Solaris security administrator for your company. You have just set up an ACL on a file named phonelist, and you want to configure the exact same ACL on a file named addresses. What is the easiest way you can accomplish this task using the Bourne shell (sh)?

  1. Use the setfacl command to create a new ACL for the addresses file, using the same parameters you used for phonelist.

  2. Create a copy of the phonelist file. Rename the new file to addresses.

  3. Use the getfacl phonelist | setfacl -f - addresses command to copy the ACL from phonelist to addresses.

  4. Use the getfacl phonelist | setfacl addresses command to copy the ACL from phonelist to addresses.

c. you can copy an acl by piping the output from getfacl to the setfacl command for the new file. however, you must use setfacl -f - filename for the piped destination. using setfacl again to create another acl would be more work than is necessary. creating a copy of the phonelist file will copy the acl. however, it's unlikely that you want to overwrite your address list with a phone list.

19. 

Examine the following command sequence:

 # ls -l -rw-rw-r--  1 qdocter  author       880 Nov 29 13:46 doc1 -rwxr-----  1 qdocter  author       880 Nov 29 14:04 file1 # setfacl -s u::rwx,g::rw-,o:---,m:rw-,u:3486:rw- doc1 

Which of the following statements are true regarding the results of the command sequence? (Choose all that apply.)

  1. When you run ls -l, the permission structure for doc1 will appear unchanged, except for a + at the end indicating that an ACL is present.

  2. The author group will still have only read and write permissions on doc1.

  3. Anyone not belonging to the author group will have read and write access to doc1.

  4. The 3486 user will have read and write permissions to doc1.

  5. The qdocter user will have read, write, and execute permissions on doc1.

b, d, e. the setfacl command set an access control list on the file doc1 . when you use setfacl , the existing permissions on the file are replaced by the new permissions set by the acl, and the new permissions are reflected by the ls -l command. based on the command, the user (owner) will have rwx , as specified by u::rwx . the author group will be granted read and write access ( g::rw- ), and everyone else will have no access ( o:--- ). the 3486 user will have read and write permission, as they were granted rw- , and the mask enables other users to have read and write access.

20. 

Here is an excerpt from one of the RBAC databases:

 Media Restore:::Restore files and file systems from backups: \    help=RtMediaRestore.html User Management:::Manage users, groups, home directory: \    auths=solaris.profmgr.read,solaris.admin.usermgr.write, \    solaris.admin.usermgr.read;help=RtUserMngmnt.html 

Which one of the databases is this data from?

  1. user_attr

  2. auth_attr

  3. prof_attr

  4. exec_attr

  5. policy.conf

c. the information presented is two profiles: the media restore profile and the user management profile. profiles are stored in the /etc/security/prof_attr database.

Answers

1. 

B. If you try to use a role that you do not have access to, you will receive this error message. If the role did not exist, you would receive a message that the ID was unknown. Supplying an incorrect password will result in only su: Sorry. You must use su to assume a role.

2. 

B, E. By giving all users the root username and password, you are giving them direct access to the root user account. Instead, either add an authorization for all users in policy.conf for solaris.*, or grant a profile of Primary Administrator. Neither the user_attr nor the prof_attr databases use the keyword=value pairing used in the answers.

3. 

A. Users are associated with roles through the usermod command, not the rolemod command. The proper syntax is usermod -R rolename username.

4. 

B, D. The jradmin account is a role, not a user account. This is identified by the type=role key pair. The cmalcolm account is a user account (type=normal), and has been authorized to use the jradmin role. Therefore, anyone logging in as cmalcolm (and has the password for jradmin) can assume jradmin's role.

5. 

A, E. The user_attr file contains user and role accounts, and can contain associations for both authorizations and profiles. The auth_attr file contains only authorizations, the prof_attr file contains only profiles, and exec_attr contains execution attributes. Authorizations and profiles can be assigned to all users in the policy.conf file.

6. 

C, E. The setfacl command set an Access Control List on the file doc1. When you use setfacl, the existing permissions on the file are replaced by the new permissions set by the ACL. Therefore, the user (owner) will have rwx, as specified by u::rwx. The author group will be granted Read-only access (g::r--), and everyone else will have no access (o:---). The 3486 user will have only Read permission, as the mask is set to r--, limiting the user to Read-only, even though they were explicitly granted Read and Write.

7. 

A. The full path for the user database is /etc/user_attr. All of the other files listed are in /etc/security.

8. 

A, C, D. When you enable an ACL, it will override any existing permissions on the file. ACLs are set with the setfacl -s command and enable you to set separate permissions for each user or group that needs access to the file. Using the ls -l command will still display permissions set for the owner and group (which are set in the ACL); you don't need to run getfacl. However, to see the permissions for the additional users, you will need to use getfacl.

9. 

B. Because the mask is set to r--, other users can have no more than read access. Therefore, the effective rights for user 3856 cannot be rw-.

10. 

C. ACLs are deleted with the setfacl -d command. The -s switch sets a new ACL (and requires parameters to configure the ACL), the -r switch recalculates the mask, and -m modifies the ACL, although none is not a valid option.

11. 

D. Authorizations or profiles assigned in the policy.conf file affect all users who use the computer.

12. 

A, B, C. The admin2 account has been granted the solaris.* authorization, meaning that the role has access to all administrative functions of Solaris. It's also more powerful than the jradmin role, which has many, but not all, administrative powers. The jgebelt user can assume the role of either admin account, but the admin2 account does not have authorization to assume jradmin. When someone uses su to assume the role of another user or role, all of their security settings become those of the new user or role.

13. 

B. The setfacl -m command is used to modify an existing ACL. The -s switch replaces any current settings. The -r switch recalculates the mask, and -d deletes the ACL.

14. 

D. The information presented is a list of three execution attributes. They are the only database entries to contain uid or euid entries. These are stored in the /etc/security/exec_attr database.

15. 

A, B. This output is from a getfacl -d command run on a directory. Directories have default settings, but files do not. Also, the mask limits the maximum permissions for users other than the owner (and the owner's group), not the minimum permissions. After an ACL is created, it is enabled by default.

16. 

C. To set an ACL, you must use the setfacl -s command. The third answer uses the correct syntax for setting the ACL for the doc1 file.

17. 

B. You can create only one ACL per file, but you can list as many individual users in an ACL as you want to. This is by far the best (and only plausible) solution presented.

18. 

C. You can copy an ACL by piping the output from getfacl to the setfacl command for the new file. However, you must use setfacl -f - filename for the piped destination. Using setfacl again to create another ACL would be more work than is necessary. Creating a copy of the phonelist file will copy the ACL. However, it's unlikely that you want to overwrite your address list with a phone list.

19. 

B, D, E. The setfacl command set an Access Control List on the file doc1. When you use setfacl, the existing permissions on the file are replaced by the new permissions set by the ACL, and the new permissions are reflected by the ls -l command. Based on the command, the user (owner) will have rwx, as specified by u::rwx. The author group will be granted read and write access (g::rw-), and everyone else will have no access (o:---). The 3486 user will have read and write permission, as they were granted rw-, and the mask enables other users to have read and write access.

20. 

C. The information presented is two profiles: the Media Restore profile and the User Management profile. Profiles are stored in the /etc/security/prof_attr database.




Solaris 9. Sun Certified System Administrator Study Guide
Solaris 9 Sun Certified System Administrator Study Guide
ISBN: 0782141811
EAN: 2147483647
Year: 2003
Pages: 194

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net