Apply a real admin workflow that combines secure shared-directory permissions, recurring and one-time scheduling, timezone verification, and an account aging fix. Inspect current state first, make targeted changes, and verify each outcome with concrete evidence.
A web content directory must be writable by the web team group, safely and consistently. Ops also needs a recurring cron job, a one-time at job, a timezone verification, and an account-expiration fix for a user who was locked out unexpectedly.
This is a “small changes, strong verification” workflow. You confirm current state, apply minimal changes with the right tool, and verify the result immediately before moving on.
/home/webfiles.at./etc/localtime symlink.ls -ld and interpreting mode bits.at and queue inspection via atq./etc/localtime target.chage to manage expiration policy.sudo mkdir -p /home/webfiles
Use -p so the command is idempotent. This is the “safe to re-run” behavior you want in admin work.
sudo chgrp apache /home/webfiles
Group ownership defines who can collaborate in the directory. This lab uses apache as the team group for the shared path.
sudo chmod 2775 /home/webfiles
2775 sets setgid on the directory and grants rwx to owner and group, with r-x for others.
The setgid bit ensures new files inherit the directory group, which prevents “wrong group” churn.
ls -ld /home/webfiles
You are verifying two signals: group ownership shows apache, and the permission string shows an s
in the group execute position (drwxrwsr-x), which indicates setgid is active.
drwxrwsr-x. 2 root apache 4096 Jan 25 07:42 /home/webfilessudo crontab -eUse root’s crontab when the job must run as root and you want the schedule owned and managed at the system-admin layer.
15 0,12 * * * /usr/local/bin/webfiles-audit.shThis runs at 00:15 and 12:15 daily. In production, you would also verify the script exists and has the right permissions, but the focus here is correct scheduling syntax and placement.
sudo crontab -lListing the crontab is your immediate proof that the scheduler has the job recorded under the intended user context.
at now + 1 hour
at is for one-off execution. After entering the at prompt, you would type the command(s) to run and end input with
Ctrl+D.
atqThis confirms the job exists and is scheduled for the expected time.
ls -l /etc/localtime
On most RHEL-like systems, /etc/localtime points to a zoneinfo file. Confirming the target is quick evidence that the host
is configured for the expected region.
lrwxrwxrwx. 1 root root 33 Jan 25 06:58 /etc/localtime -> ../usr/share/zoneinfo/America/New_Yorksudo chage -E -1 username
Setting expiration to -1 removes the account expiration date. This addresses “account expired” lockouts without changing
the password. In production, you would confirm the user’s status and document the change.
If ls -ld does not show rws for the group bits, setgid is not active and new files may inherit the wrong group.
Re-apply chmod 2775 and verify again.
Confirm the script path is correct and executable. Also confirm cron is running and that your schedule is valid for the system timezone.
Validate with sudo crontab -l and check logs if available.
The at subsystem may be disabled or the service may not be running. Ensure the at daemon is available and that you ended job input with
Ctrl+D. Verify with atq.
Account expiration is not the same as password lock. Check aging and lock state separately. If needed, inspect the full aging state with
chage -l username and confirm there are no additional policy constraints.
If this is a training system and you want to revert changes, remove the cron entry and delete the shared directory. If the at job was queued, remove it as well. Keep the timezone unchanged unless the lab explicitly required modifications.
ls -ld /home/webfiles
sudo crontab -l
atq
ls -l /etc/localtimeThe shared directory shows the expected group and setgid permissions, the cron line appears under root, the at queue reflects the expected job, timezone points to the expected zoneinfo file, and the user no longer has an account expiration date.
mkdir -p <dir>
: Creates a directory path and does not fail if it already exists.
-p : Creates parent directories as needed.chgrp <group> <path>
: Changes the group ownership of a file or directory.
chmod 2775 <dir>
: Sets directory permissions and enables setgid for group inheritance.
2 : setgid on directories (new files inherit the directory group).775 : rwx for owner and group, r-x for others.ls -ld <path>
: Displays directory metadata (permissions, owner, group) for the directory itself.
-l : Long listing format.-d : Lists the directory entry, not its contents.crontab -e
: Edits the current user’s crontab.
sudo crontab -e : Edits root’s crontab.crontab -l
: Lists the current user’s crontab.
sudo crontab -l : Lists root’s crontab.at now + 1 hour
: Schedules a one-time job for a future time.
atq
: Lists pending at jobs in the queue.
ls -l /etc/localtime
: Shows the timezone symlink target used by the system.
chage -E -1 <user>
: Removes account expiration for a user.
-E : Sets the account expiration date.-1 : No expiration.