File Attributes
9m 25s
ACLs Demo
6m 13s
8m 33s

The course is part of this learning path

Linux Security and Hardening
Start course
1h 13m

This course covers the security features that you can use in order to secure your files and directories on Linux. We look at permissions, data sharing, special modes, file attributes, ACLs, and rootkits. You will also have the chance to follow along with guided demonstrations which will give you a practical understanding of the concepts covered.

Learning Objectives

  • Learn how Linux file and directory permissions work and how to apply the proper permissions to files and directories
  • Learn how to share data securely with groups and multiple users on a Linux system
  • Understand how special modes add extra security to file systems
  • Learn how to make files unchangeable even by the root user and how to secure the log files on a Linux system by making them append-only
  • Learn how to secure files and directories using ACLs
  • Learn about rootkits and how to discover and remove them

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


An ACL or access control list provides additional granularity to the traditional Unix and Linux file permissions. For example, if you wanna give one individual user access to a file, but you don't want to add that user to the group of the file because they don't need access to the additional files and directories that membership would give them, you can use an ACL. If you were to solve this access issue using traditional permissions, you would have to create a new group. In that group you would put the user who needs access to that single file as well as the existing members of the original group. Now anytime the group members are changed in the original group they also have to be changed in this new group as well. In order to use ACLs, the file system has to have been mounted with ACL support. For ext type file systems you can either set the default mount options with a tune2fs command, or add the acl option in the atcfs tab file. ACL support is enabled by default on many file systems like xfs and b3fs. There are two types of ACLs. The first type of ACL is called an access ACL. These ACLs grant permissions on specific files and directories. The other type of ACL is called a default ACL. Default ACLs are used only on directories. The rules of the default ACL on a directory are used if a file within that directory doesn't have an access ACL of its own. If you apply a default ACL to a directory any existing files in their ACLs will not be modified. If you want to change the ACLs on the existing files in the directory, you have to do it manually. It will not be done automatically when you create the default ACL. Only files and directories created after the default ACL was added will be affected. These default ACLs on directories are totally optional. ACLs can be created for and configured per user per group for users not in the files group and via an effective rights mask. The setfacl command is used to create, modify and delete ACLs on files and directories. If for some reason the command is not available on your system, you'll need to install the ACL tools. Typically the package is named ACL. In order to create or modify an ACL, run setfacl -m followed by the ACL sometimes called a rule and then the FILE_OR_DIRECTORY to apply that ACL too. ACLs again, sometimes called rules, follow a specific format. If you want to control the access for a given user, start the rule with a u followed by a colon, followed by a username or UID and the desired permissions. To allow the jason user permissions to read, write and execute, you would run setfacl -m u:json:rwx If you want to allow sam read and execute permission run setfacl -m u:sam:xr Notice that I didn't supply the normal set of three permissions with a dash representing a permission not given and I didn't even put the permissions in the traditionally correct order. Just be sure to supply the permissions that you want to grant. If you want to add permissions to a group use the format of g: group name or gid: and then the permissions. To grant all members of the sales group read and write permissions to the sales.txt file, run setfacl -m g:sales:rw sales.txt. To set the effective rights mask use m: followed by the permissions. The effective rights mask is used to restrict permissions for all users and groups that are defined in the ACL. For example, you can prevent all users from writing to a file by setting the effective mask of r-x. To do this on a file named sales.text, run setfacl -m m:rx sales.txt. Sometimes the effective mask is automatically calculated and set when you run a command or when a file is created due to the umask. To add permissions for others use o: followed by the permissions. These permissions apply to people who are not members of the files group. To allow others re permission on the sales.text file, for example, run setfacl -m o:r sales.txt. Multiple rules can be applied by separating them by a comma. Note that there are no spaces before or after the comma. To allow the user bob re permissions and the sales group read and write permissions on the sales.txt file, you would run setfacl -m u:bob:r,g:sales:rw sales.txt. So far, we've been talking about how to set access ACLs. Let's shift into setting default ACLs. If we want every file that gets created in the sales directory to be readable and writeable to the members of the sales group, we create a default ACL for the sales group. Default ACLs are like access ACLs except they are proceeded by d: So to get our desired default rule we run setfacl -m d:g:sales:rw sales. Now, when we create a new file or directory inside the sales directory, it will contain an access ACL that grants members of the sales team read and write access. In the cases of newly created sub-directories, they will also contain this default ACL, so the ACLs are carried down through the file system tree. Remember, any existing files will not have this default rule applied. If you want to modify their ACLs do so with a setfacl command manually. The easiest way to modify the ACLs for existing files in a directory is to do so recursively. Continuing on with our previous example, we can make sure members of the sales group have read write permissions on all the files and directories within the sales directory tree by running setfacl -R -m g:sales:rw sales. To remove a rule run setfacl -x followed by the rule you want to delete. When you specify the rule, you leave out the permission section. for example, to delete a rule that has granted some permissions to the jason user on sales.txt, you would run setfacl -x u:jason sales.txt. Notice that I didn't use something like u:jason:rw, just u:jason when deleting ACLs remember to leave off the permissions field. Another example would be setfacl -x g:sales sales.txt. That command would remove the rule pertaining to the sales group. If you want to remove all the ACL entries for a file, run setfacl -b followed by the path to the file or directory. Once you run this command, then traditional Linux permissions will be honored exactly as they are set on the file. Now, you know how to create, modify and delete ACLs with a setfacl command. To view ACLs use the getfacl command. Here's some example output of a getfacl ran against a file that doesn't have any ACL rules applied to it. The first three lines of output is the header. This simply tells us who owns the file, the group the file is in and the files name. The next section of the output shows the rules for this file. These rules are simply a reflection of the traditional Linux permissions applied to this file. There are no rules for individual users or groups in this particular example. This example shows a rule being added to the sales.txt file, and then that rule is displayed with they getfacl command. You'll notice that the rule now appears in the getfacl output. Even though a mask wasn't specified, it was calculated and automatically added for us. If you wanted to tighten the effective right to mask, you could do so after adding all the other rules. Let's look at some getfacl output for a directory that has default ACLs. The default rules are clearly marked at the bottom of this output. In this example, any new files or directories created within this directory will give members of the sales group read and write access. How will you be able to know if a file has ACLs? The easiest way to spot a file with ACLs is to look at its LS output. If ACLs are in use, you'll see a plus sign at the end of the permission string. In this example, the sales.txt file has ACLs and the other files do not. If you want to get the exact permissions for that file you would of course run getfacl against that file.

About the Author
Jason Cannon
Founder, Linux Training Academy
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.