nerdexam
CompTIA

XK0-004 · Question #508

A technician wants to update the contents of the /etc/hosts.allow file. The technician reviews the following output: According to best practice, which of the following commands should the technician u

The correct answer is A. setfacl u:user:w /etc/hosts.allow; vi hosts.allow. Best practice for editing a sensitive system file is to grant only the minimum necessary permission to the specific user via ACLs rather than elevating full root privileges or changing file ownership.

Security

Question

A technician wants to update the contents of the /etc/hosts.allow file. The technician reviews the following output:

According to best practice, which of the following commands should the technician use?

Exhibit

XK0-004 question #508 exhibit

Options

  • Asetfacl u:user:w /etc/hosts.allow; vi hosts.allow
  • Bvisudo /etc/hosts.allow
  • Cchgrp user /etc/hosts.allow; vi /etc/hosts.allow
  • Dsudo vi /etc/hosts.allow
  • Echown user /etc/hosts.allow; vi /etc/hosts.allow

How the community answered

(33 responses)
  • A
    82% (27)
  • B
    6% (2)
  • C
    3% (1)
  • D
    9% (3)

Why each option

Best practice for editing a sensitive system file is to grant only the minimum necessary permission to the specific user via ACLs rather than elevating full root privileges or changing file ownership.

Asetfacl u:user:w /etc/hosts.allow; vi hosts.allowCorrect

Using setfacl to assign a targeted write ACL entry for the specific user follows the principle of least privilege - the user receives only write access to that one file without gaining broad sudo rights or becoming the file owner. This keeps the base permissions and ownership of /etc/hosts.allow intact while allowing the required edit, which is the recommended approach when fine-grained access control is available.

Bvisudo /etc/hosts.allow

visudo is a safe editor exclusively for the /etc/sudoers file; it cannot be used to edit /etc/hosts.allow and will not open it correctly.

Cchgrp user /etc/hosts.allow; vi /etc/hosts.allow

chgrp changes the file's group ownership, which permanently alters the file's permission model rather than granting a temporary, targeted ACL entry.

Dsudo vi /etc/hosts.allow

sudo vi grants full root-level access during the edit session, which is broader than necessary when ACL-based targeted write permission is available.

Echown user /etc/hosts.allow; vi /etc/hosts.allow

chown transfers ownership of a system-critical file to a regular user, which permanently weakens the file's security posture beyond what the task requires.

Concept tested: Linux ACL least-privilege file permission management

Source: https://man7.org/linux/man-pages/man1/setfacl.1.html

Topics

#setfacl#ACL#hosts.allow#least privilege

Community Discussion

No community discussion yet for this question.

Full XK0-004 Practice