Welcome to our 4th part of our tutorial series. Today we will see how to create an access control list.

With an ACL, we can allow only a certain person to access a file or directory or we can allow multiple people to access a file or directory with different permissions for each person. If we have a file or directory that’s wide open for Everyone, we can use an ACL to allow different levels of access for either a group or an individual.

To begin, let’s create a text file

Next, use getfacl to see if we have any access control lists already set on the text file.

All we can see here are just the normal permission settings, so there’s no ACL.

The first step for setting an ACL is to remove all permissions from everyone except for the user of the file. That’s because the default permission settings allow members of the group to have read/write access and others to have read access.

# chmod 600 acl_test.txt

Next we will set the ACL using setfacl. Using this you can allow a user or a group to have any combination of read write or execute Privileges.

# setfacl -m u:rd:r acl_test.txt

Now let’s see the permissions are set

The M option of setfacl means that we’re about to modify the ACL. The u: means that we’re setting an ACL for a user. We then list the user’s name followed by another colon and a list of permissions that we want to grant to this user. In this case we’re only allowing user rd read access. The getfacl output shows that rd does indeed have read access.

In the ls -l command output, we can see that the group is listed as having read access even though we’ve set the 600 permission settings on this file. There’s also a plus sign tells us that the file has an ACL.

To take this a step further let’s say that I want user john to have read/write access to this file.

As you can see, we can have two or more different ACLs assigned to the same file. In the ls -l output we can see that we have read/write permissions set for the group, which is just a summary of permissions that we’ve set in the two ACLs.

In our next tutorial, we will see how to use lynis to run a security audit in our system.



The following two tabs change content below.
Ruwantha Nissanka is a Professional Cyber Security Engineer from Sri lanka with having a demonstrated history of providing cyber security services for multiple organizations in Sri Lanka. He is a positive person who wants to believe the best in others and he likes to help, encourage people and make them feel good.