Using File ACLs on Linux for Additional Security

Using File ACLs on Linux for Additional Security

File ACLs can increase security due to the more granular permission structure. Still the use of ACLs is often not known to system administrators, resulting in directories and files having inappropriate file permissions.

When to use

Example: a directory could be configured with very tight permissions, including a proper owner and group. Normally the “Other” (everyone) group would have to be used to open up the file for people outside the owner group. This has a serious downside to open up a directory or file contents for all users.

With ACLs we can solve this issue. We still apply the tight permissions, however additionally we can give a single user file access.

Getfacl

To see the existing file permissions the getfacl command can be used.

# getfacl test1
# file: test1
# owner: root
# group: root
user::rw-
group::r–
other::—

In this particular case the file has read-write permissions for the owner (root) and read access for the group (root).

Setfacl

When we want to allow the user “www-data” to access this particular file as well, we can adjust the ACL with the setfacl command.

setfacl -m u:www-data:r test1

This command adjust the file ACL and modified it to the user “www-data” having read access to the file, as can be seen in the screenshot below.

Screenshot of getfacl/setfacl under Linux to apply file access control list.

The use of getfacl/setfacl under Linux to apply file access control list.

Plus sign in ls output

If ACLs are applied to a file, the ls output will change. An additional plus sign will show up at the end of the line. This is to avoid overlooking the use of these additional permissions.

Example:

root@earth:~/facls# ls -l
total 0
-rw-r—–+ 1 root root 0 May 28 11:52 test1
-rw-r—–  1 root root 0 May 28 11:52 test2

Conclusion

File ACLs are powerful and provide a system administrator with more granular access possibilities. Where possible, use this feature to apply more strict file access, yet allowing the right people and process to access data.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Leave a Reply

Your email address will not be published. Required fields are marked *