Lock down a secrets file
A config file with credentials is world-readable. Fix its ownership and permissions so the owner can write it, the app group can read it, and nobody else can touch it. It's the daily bread of Linux administration.
Scenario
/srv/app/secret.conf holds database credentials. Right now it's owned by root:root with mode
644: world-readable. Any user on the box can read the secrets. Lock it down.
The people involved
- deploy: the service account that owns and updates the file (needs read + write)
- webops: a member of the app group (needs read only)
- guest: an ordinary user, not in the app group (must have no access)
Your job
Edit fix.sh with the chown/chmod commands so that:
| who | access |
|-----|--------|
| owner deploy | read + write |
| group app | read only |
| others | nothing |
How it's graded
The grader applies your commands to the file and then checks what each user can actually do, real permission resolution, not a string match. Get the ownership and the mode both right.
Reminder: octal permissions
r=4 w=2 x=1, summed per class (owner, group, other). So owner rw = 6, group r = 4,
other none = 0 → 640.
Teaches: Unix ownership and permission bits, the first thing every Linux admin and security review checks.
What gets checked
Your solution is verified against each of these:
- The file is owned by user deploy and group app
- Owner (deploy) can read and write the file
- The app group (webops) can read but not write
- Everyone else (guest) has no access
Solve it in your browser
No setup, no install. Write your solution in the editor and hit Check. The in-house engine renders and grades it instantly, then issues your proof the moment every check passes.
Solve in browser →Prefer your own lab?
- Build the fix locally. New to the tooling? See setting up your lab.
- Push your topology file, device configs, and any playbooks to a public repo (GitHub or GitLab).
- Submit the repo link. We review it by hand, confirm it works, and issue your proof page.