Secure Files/Directories using ACLs (Access Control Lists) in Linux

Access Control Lists (ACLs) in Linux provide a flexible and granular way to secure files and directories beyond traditional Unix permissions. While standard permissions only allow setting access for owner, group, and others, ACLs enable administrators to assign specific permissions to individual users and groups simultaneously. This allows fine-grained control over access rights using commands like setfacl and getfacl to define read, write, and execute permissions for multiple entities.

How ACLs Work

ACLs extend the basic Unix permission model by maintaining additional permission entries for files and directories. Each ACL entry specifies a user or group and their associated permissions. When a user attempts to access a file, the system checks ACL entries in order: user entries first, then group entries, and finally the mask and other permissions.

Setting Default ACLs

Default ACLs define permissions that are automatically applied to newly created files and directories within a specific directory. This ensures consistent access rights for all future items without manually assigning permissions to each new file or directory individually.

Steps to Set Default ACLs

# Create a test directory
mkdir /home/shared

# Set default ACLs for the directory
setfacl -d -m u:alice:rwx /home/shared
setfacl -d -m g:developers:rw- /home/shared
setfacl -d -m o::r-- /home/shared

# View the default ACLs
getfacl /home/shared

# file: /home/shared
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:alice:rwx
default:group::r-x
default:group:developers:rw-
default:mask::rwx
default:other::r--

Granting Specific Permissions

ACLs allow administrators to assign precise access rights to individual users or groups for existing files and directories. This enables tailored security policies that match specific organizational requirements without affecting other users' access.

Examples of Specific Permission Assignment

# Grant read/write access to user 'bob' on a specific file
setfacl -m u:bob:rw- /home/shared/document.txt

# Grant read-only access to group 'audit' on a directory
setfacl -m g:audit:r-x /home/shared/reports/

# Remove ACL entry for a specific user
setfacl -x u:bob /home/shared/document.txt

# Remove all ACL entries
setfacl -b /home/shared/document.txt

ACL Permission Types

Common Use Cases

• Project directories Grant different team members varying access levels to shared project folders

• Log files Allow multiple applications to write logs while restricting read access to administrators

• Backup systems Provide backup software read access to user files without granting full permissions

• Web directories Control access for different user groups to web server document roots

Key Commands

# View ACLs for a file or directory
getfacl filename

# Set ACL for user
setfacl -m u:username:permissions filename

# Set ACL for group
setfacl -m g:groupname:permissions filename

# Set default ACL (for directories)
setfacl -d -m u:username:permissions dirname

# Copy ACLs from one file to another
getfacl file1 | setfacl --set-file=- file2

Conclusion

ACLs provide powerful, granular access control in Linux systems, extending beyond traditional Unix permissions. By implementing default ACLs and specific permission assignments, administrators can create sophisticated security policies that ensure only authorized users and groups can access sensitive files and directories while maintaining flexibility for complex organizational structures.