Using File ACLs on Linux for Additional Security

Using File ACLs on Linux for Additional Security

File ACLs can increase security due to the more granular permission structure. Still the use of ACLs is often not known to system administrators, resulting in directories and files having inappropriate file permissions.

When to use

Example: a directory could be configured with very tight permissions, including a proper owner and group. Normally the “Other” (everyone) group would have to be used to open up the file for people outside the owner group. This has a serious downside to open up a directory or file contents for all users.

With ACLs we can solve this issue. We still apply the tight permissions, however additionally we can give a single user file access.


To see the existing file permissions the getfacl command can be used.

# getfacl test1
# file: test1
# owner: root
# group: root

In this particular case the file has read-write permissions for the owner (root) and read access for the group (root).


When we want to allow the user “www-data” to access this particular file as well, we can adjust the ACL with the setfacl command.

setfacl -m u:www-data:r test1

This command adjust the file ACL and modified it to the user “www-data” having read access to the file, as can be seen in the screenshot below.

Screenshot of getfacl/setfacl under Linux to apply file access control list.

The use of getfacl/setfacl under Linux to apply file access control list.

Plus sign in ls output

If ACLs are applied to a file, the ls output will change. An additional plus sign will show up at the end of the line. This is to avoid overlooking the use of these additional permissions.


root@earth:~/facls# ls -l
total 0
-rw-r—–+ 1 root root 0 May 28 11:52 test1
-rw-r—–  1 root root 0 May 28 11:52 test2


File ACLs are powerful and provide a system administrator with more granular access possibilities. Where possible, use this feature to apply more strict file access, yet allowing the right people and process to access data.

Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.

Automate Scanning »

Leave a Reply

Your email address will not be published. Required fields are marked *