ACLs Demo
Start course
1h 13m

This course covers the security features that you can use in order to secure your files and directories on Linux. We look at permissions, data sharing, special modes, file attributes, ACLs, and rootkits. You will also have the chance to follow along with guided demonstrations which will give you a practical understanding of the concepts covered.

Learning Objectives

  • Learn how Linux file and directory permissions work and how to apply the proper permissions to files and directories
  • Learn how to share data securely with groups and multiple users on a Linux system
  • Understand how special modes add extra security to file systems
  • Learn how to make files unchangeable even by the root user and how to secure the log files on a Linux system by making them append-only
  • Learn how to secure files and directories using ACLs
  • Learn about rootkits and how to discover and remove them

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


Let's start out by creating a directory that we plan to use as a shared storage space for a project. Called this projectx. And let's also set the default permissions on that directory so that the members of the projectx group have full permissions on it. Now I'm going to switch to a user that's in that group and create a file in that directory. Switched to this user called Sam and Sam is indeed in the projectx group. Just create a file here. Now let's say Sam wants Bob to be able to edit the notes.text file. However, Bob is not a member of the projectx group and he really doesn't need access to the other files. Just this one file. So Sam can add an ACL to allow Bob to edit just this one file, and we can do this by running this setfacl command dash m for modify, in this case we're adding a new rule. We're going to allow the user Bob read and write access to the notes.text file. Okay, here we can see in the output that the user Bob has read and write privileges on this notes.text file. So let's see if Bob can actually do that. Exit out of the Sam account, switched to the Bob account. Okay, there's the existing text. So if an ACL wasn't in place, Bob wouldn't be able to edit that file. You can see that it's a read right by the projectx group. However, Bob is only in the Bob group. And furthermore, we couldn't even create files in that directory because we don't have permission to do that as well. We'll just... You know. Show you that. And sure enough, Bob doesn't have permissions to the projectx folder, because again he's not in that group. Okay, let's say Bob's help is no longer needed, so let's remove his access. Get out of the Bob account. Let's get back to the Sam account. And we're going to remove the rule with dash X, U, 'cause it's a user rule on Bob. And we don't need to specify the permissions. As a matter of fact, you shouldn't specify the permissions and we'll run that on the notes.text file. I'll see our changes here and now there is no rule with Bob in the output of this setfacl command. Let's create a file as root in this projectx directory. We'll just say root was here, do an LS. And you can see that that file was created. You'll notice that this newly created file was created with the root as the owner and root as the group. You'll also notice that there are no ACL's on this file because there's no plus sign in the LS output. So right now, if a member of the projectx group tried to edit that file, they couldn't. So let's demonstrate this, let's switch to the Sam account and let's try to write some data to that file there. And sure enough, we get a permission denied even though Sam's in the projectx group, but that root was here file was not created with projectx group permissions. Okay, so let's make it so that any members of the projectx group can read or write newly created files in this directory. And we'll do that by running setfacl, dash M for modify. And D for default, G group projectx read, write dot. Now that dot represents the current directory, in this case, it's the projectx directory. So let's do this run LS dash LD on dot, and you can see the plus sign. So there are ACS in play. getfacl on this directory. Then you can see that there are default permissions here or default rules on this directory, such as the project group gets read and write permissions. So let's create another file and see what happens here. Just touch the test file. Now there's a plus sign on this newly created file and let's look at its ACL rules. Okay, as expected, the group projectx has read and write permissions on this file. And let's see if someone from the projectx group can actually edit this file. We'll switch the Sam user, again he's in the projectx group. And we'll let him edit this test file "sam was here". Okay, sure enough. He was able to edit that file. Okay. So notice that the file that was created before this default ACL was added to the directory does not have an ACL. Let's recursively add this rule so that existing files will get the permissions we want them to have. So I would run a setfacl, dash capital R for recursive. Group projectx read, write and dot. Again, dot represents this current directory you have specified the full path. As a matter of fact , I'll just go ahead and do that and hit enter here. Now that we've changed the ACL's on all the files in this director of recursively, you can see that the first file, "root was here" that did not have an ACL, does in fact have an ACL now. All right, let's look at that rule. Sure enough, projectx group has read and write permissions on that file.

About the Author
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.