Securing Your Config Repository

Scenario Context: You've organized the configuration backups into the standard directory. However, you discover that any user on the system could potentially modify or delete these critical files. You must now secure the /etc/netbackup/ directory and its contents so that only the root user (you) can modify them, while allowing other administrators to view them if necessary. This is crucial for change control and audit trails.

Task List:

● Understand Linux file permissions and ownership by examining the current state.

● Change the ownership of the /etc/netbackup/ directory to the root user and group.

● Modify file permissions to enforce the principle of least privilege: read/write for owner, read-only for group, and others.

● Test the security by attempting to modify a file as a non-privileged user (simulated).

● Understand the numeric (octal) representation of permissions.

Detailed Step-by-Step Walkthrough:

We're back in the Ubuntu-MGMT station and ssh to Linux server. Let's start by examining the current security state of our backup directory. We use the ls command with the -l (long listing) and -a (all) flags to see permissions.

First, let's navigate to the /etc/ directory and look at netbackup.

cd /etc
ls -la | grep netbackup 📋

Press Enter. The | grep netbackup part filters the long list to only show lines containing "netbackup". You'll see a line like this:

drwxr-xr-x 4 root root 4096 Oct 27 10:15 netbackup

Let's break down the first part, drwxr-xr-x:

● The first character, d, indicates this is a directory.

● The next nine characters are three sets of three: rwx, r-x, r-x.

✓ Set 1 (rwx): Permissions for the owner (root). r=read, w=write, x=execute.

✓ Set 2 (r-x): Permissions for the group (root). r=read, -=no write, x=execute.

✓ Set 3 (r-x): Permissions for others (everyone else). r=read, -=no write, x=execute.

The x (execute) permission on a directory means you can cd into it and list its contents if you also have read permission. This is currently fine. However, the w (write) permission for the group is missing. Let's check if the group is set correctly. It shows root root (owner is root, group is root). Good.

Now, let's look inside the netbackup directory at the files and subdirectories.

ls -la /etc/netbackup/ 📋

Press Enter. You'll see the switches and routers directories. Their permissions are likely the same as the parent (drwxr-xr-x). Let's check the files inside the switches directory.

ls -la /etc/netbackup/switches/ 📋

Press Enter. You'll see your two files. Look at the permissions for sw_vlan_config.txt. It will look like:

-rw-r--r-- 1 root root 1234 Oct 27 10:15 sw_vlan_config.txt

Again, break it down:

● -: A regular file (not a directory).

● rw-: Owner (root) can read and write.

● r--: Group (root) can only read.

● r--: Others can only read.

This is actually a decent default for files: readable by all, writable only by owner. But for directories, we need to be more careful. The switches directory has r-x for group and others, meaning anyone on the system can cd into it and list the files. That's acceptable for viewing. However, can they create or delete files inside it? No, because they lack the w (write) permission on the directory itself. This is good.

But wait. There's a potential issue. The parent directory, /etc/netbackup, has r-x for group and others. This is also fine for viewing. But what if another user who is a member of the root group? In our case, the group is root, which typically has no regular users. But in a real team, you might have a group like netadmins. Let's tighten security to follow the principle of least privilege: owner can do everything, group can read and enter, others can do nothing.

We'll use the chmod command to change permissions. Permissions can be set using letters (u=user/owner, g=group, o=others, a=all) or numbers (octal). The numeric method is very common in scripting. Let's learn both.

First, the numeric method. You represent each set of three permissions (rwx) as a number:

● r (read) = 4

● w (write) = 2

● x (execute) = 1

You add them up for the set you want. For example:

● rwx (4+2+1) = 7

● r-x (4+0+1) = 5

● r-- (4+0+0) = 4

● --- (0+0+0) = 0

You then use three digits: first for owner, second for group, third for others. We want:

● Owner: rwx = 7

● Group: r-x = 5 (they can read and enter, but not create/delete)

● Others: --- = 0 (no access)

So the numeric code is 750.

Let's apply this to the /etc/netbackup directory.

chmod 750 /etc/netbackup 📋

Press Enter. Now verify the change.

ls -ld /etc/netbackup 📋

Press Enter. The output should now be: drwxr-x--- 4 root root 4096 Oct 27 10:15 netbackup. Notice the last three permissions changed from r-x to r-x? Wait, that's still r-x for group. That's correct, 5 is r-x. And for others, it changed from r-x to ---. Perfect. Others now have no access.

Now, we must apply the same permission to the subdirectories and files recursively. The -R flag for chmod means recursive—it applies the change to the directory and everything inside it. This is a powerful command. We want the directories to have 750 and the files to have 640 (rw-r-----), meaning files are readable by the group but not executable. Let's do it in two steps for clarity.

First, let's change permissions on all directories under /etc/netbackup to 750. We'll use the find command to target only directories.

find /etc/netbackup -type d -exec chmod 750 {} \; 📋

Press Enter. This command needs explanation:

● find /etc/netbackup: Start in the /etc/netbackup directory.

● -type d: Find only items of type directory.

● -exec chmod 750 {} ;: For each directory found, execute (-exec) the command chmod 750. The {} is a placeholder that gets replaced by the found directory's path. The \; marks the end of the -exec command.

Now, let's change permissions on all regular files to 640 (rw-r-----).

find /etc/netbackup -type f -exec chmod 640 {} \; 📋

Press Enter. This does the same but for files (-type f).

Let's verify the entire structure now.

ls -la /etc/netbackup/
ls -la /etc/netbackup/switches/ 📋

Press Enter. Look at the permissions now. The directories should show drwxr-x---. The files should show -rw-r-----. This means:

● For directories: Owner (root) has full access. Group (root) can list and enter. Others have no access.

● For files: Owner (root) can read and write. Group (root) can only read. Others have no access.

This is a very secure configuration.

Now, let's test it. We'll simulate what happens if a non-root user tries to modify a file. We can't easily become another user here, but we can test the "others" permissions. Let's try to read a file as "others" using the cat command. That should fail now because we set others to 0 (no access). Actually, we are root, so we bypass all permissions. To test properly, let's check the permissions directly.

We can also use the chown command to change ownership. Suppose a file was accidentally created by a different user. Let's create a test file as if we were someone else (we'll just create it as root, but then change its owner to a dummy user). First, create a user called testuser (if it doesn't exist).

adduser testuser --disabled-password --gecos "" 📋

Press Enter. This creates a user without a password prompt. Now, create a test file in a temporary location and change its owner.

touch /tmp/test_config.txt
chown testuser:testuser /tmp/test_config.txt
ls -l /tmp/test_config.txt 📋

Press Enter. You'll see the owner and group are now testuser. Now, let's try to copy this file into our secured /etc/netbackup/switches/ directory as the testuser. We'll use the sudo command to run as testuser.

sudo -u testuser cp /tmp/test_config.txt /etc/netbackup/switches/ 📋

Press Enter. What happens? You should get an error message:

Excellent! The permission system worked. The testuser, who is in the "others" category for the switches directory, does not have write (w) permission, so they cannot create a file there. This prevents unauthorized changes.

Now, let's clean up the test user and file.

userdel testuser
rm -f /tmp/test_config.txt 📋

Press Enter.

Finally, let's talk about the letter-based chmod syntax, as you'll see it in guides. To give group read access to a file, you could do:

chmod g+r /etc/netbackup/switches/sw_vlan_config.txt 📋

To remove read access from others:

chmod o-r /etc/netbackup/switches/sw_vlan_config.txt 📋

But the numeric method (750, 640) is more precise and common in scripts.

Let's do a final comprehensive check of our secured repository.

find /etc/netbackup -exec ls -ld {} \; 📋

This lists every item in the tree with its permissions. Everything should show either drwxr-x--- for directories or -rw-r----- for files.

Summary: You have now secured your network configuration backup repository. You understand:

● How to read permissions: Using ls -l to see rwx for user, group, and others.

● The principle of least privilege: Grant only the minimum permissions necessary.

● How to change permissions with chmod: Using numeric codes (like 750, 640) for precision, especially with the -R recursive flag.

● How to change ownership with chown: Using chown user:group filename.

● Why it matters: This prevents accidental or malicious modification of your golden configuration files, which is the foundation of network change control.

Your configuration archive is now organized and secure. In the next lab, we will start interacting with the actual network devices, and you'll use these files as your source of truth.