XK0-004 · Question #508
A technician wants to update the contents of the /etc/hosts.allow file. The technician reviews the following output: According to best practice, which of the following commands should the technician u
The correct answer is A. setfacl u:user:w /etc/hosts.allow; vi hosts.allow. Best practice for editing a sensitive system file is to grant only the minimum necessary permission to the specific user via ACLs rather than elevating full root privileges or changing file ownership.
Question
A technician wants to update the contents of the /etc/hosts.allow file. The technician reviews the following output:
According to best practice, which of the following commands should the technician use?
Exhibit
Options
- Asetfacl u:user:w /etc/hosts.allow; vi hosts.allow
- Bvisudo /etc/hosts.allow
- Cchgrp user /etc/hosts.allow; vi /etc/hosts.allow
- Dsudo vi /etc/hosts.allow
- Echown user /etc/hosts.allow; vi /etc/hosts.allow
How the community answered
(33 responses)- A82% (27)
- B6% (2)
- C3% (1)
- D9% (3)
Why each option
Best practice for editing a sensitive system file is to grant only the minimum necessary permission to the specific user via ACLs rather than elevating full root privileges or changing file ownership.
Using setfacl to assign a targeted write ACL entry for the specific user follows the principle of least privilege - the user receives only write access to that one file without gaining broad sudo rights or becoming the file owner. This keeps the base permissions and ownership of /etc/hosts.allow intact while allowing the required edit, which is the recommended approach when fine-grained access control is available.
visudo is a safe editor exclusively for the /etc/sudoers file; it cannot be used to edit /etc/hosts.allow and will not open it correctly.
chgrp changes the file's group ownership, which permanently alters the file's permission model rather than granting a temporary, targeted ACL entry.
sudo vi grants full root-level access during the edit session, which is broader than necessary when ACL-based targeted write permission is available.
chown transfers ownership of a system-critical file to a regular user, which permanently weakens the file's security posture beyond what the task requires.
Concept tested: Linux ACL least-privilege file permission management
Source: https://man7.org/linux/man-pages/man1/setfacl.1.html
Topics
Community Discussion
No community discussion yet for this question.
