1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

ACLs Demo

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

Let's start out by creating a directory that we plan to use as a shared storage space for a project. Called this projectx. And let's also set the default permissions on that directory so that the members of the projectx group have full permissions on it. Now I'm going to switch to a user that's in that group and create a file in that directory. Switched to this user called Sam and Sam is indeed in the projectx group. Just create a file here. Now let's say Sam wants Bob to be able to edit the notes.text file. However, Bob is not a member of the projectx group and he really doesn't need access to the other files. Just this one file. So Sam can add an ACL to allow Bob to edit just this one file, and we can do this by running this setfacl command dash m for modify, in this case we're adding a new rule. We're going to allow the user Bob read and write access to the notes.text file. Okay, here we can see in the output that the user Bob has read and write privileges on this notes.text file. So let's see if Bob can actually do that. Exit out of the Sam account, switched to the Bob account. Okay, there's the existing text. So if an ACL wasn't in place, Bob wouldn't be able to edit that file. You can see that it's a read right by the projectx group. However, Bob is only in the Bob group. And furthermore, we couldn't even create files in that directory because we don't have permission to do that as well. We'll just... You know. Show you that. And sure enough, Bob doesn't have permissions to the projectx folder, because again he's not in that group. Okay, let's say Bob's help is no longer needed, so let's remove his access. Get out of the Bob account. Let's get back to the Sam account. And we're going to remove the rule with dash X, U, 'cause it's a user rule on Bob. And we don't need to specify the permissions. As a matter of fact, you shouldn't specify the permissions and we'll run that on the notes.text file. I'll see our changes here and now there is no rule with Bob in the output of this setfacl command. Let's create a file as root in this projectx directory. We'll just say root was here, do an LS. And you can see that that file was created. You'll notice that this newly created file was created with the root as the owner and root as the group. You'll also notice that there are no ACL's on this file because there's no plus sign in the LS output. So right now, if a member of the projectx group tried to edit that file, they couldn't. So let's demonstrate this, let's switch to the Sam account and let's try to write some data to that file there. And sure enough, we get a permission denied even though Sam's in the projectx group, but that root was here file was not created with projectx group permissions. Okay, so let's make it so that any members of the projectx group can read or write newly created files in this directory. And we'll do that by running setfacl, dash M for modify. And D for default, G group projectx read, write dot. Now that dot represents the current directory, in this case, it's the projectx directory. So let's do this run LS dash LD on dot, and you can see the plus sign. So there are ACS in play. getfacl on this directory. Then you can see that there are default permissions here or default rules on this directory, such as the project group gets read and write permissions. So let's create another file and see what happens here. Just touch the test file. Now there's a plus sign on this newly created file and let's look at its ACL rules. Okay, as expected, the group projectx has read and write permissions on this file. And let's see if someone from the projectx group can actually edit this file. We'll switch the Sam user, again he's in the projectx group. And we'll let him edit this test file "sam was here". Okay, sure enough. He was able to edit that file. Okay. So notice that the file that was created before this default ACL was added to the directory does not have an ACL. Let's recursively add this rule so that existing files will get the permissions we want them to have. So I would run a setfacl, dash capital R for recursive. Group projectx read, write and dot. Again, dot represents this current directory you have specified the full path. As a matter of fact , I'll just go ahead and do that and hit enter here. Now that we've changed the ACL's on all the files in this director of recursively, you can see that the first file, "root was here" that did not have an ACL, does in fact have an ACL now. All right, let's look at that rule. Sure enough, projectx group has read and write permissions on that file.

About the Author