I enforced least-privilege file access using the standard user/group/other model, special bits, and POSIX ACLs for finer control. Explicit, auditable modes and ACLs let multiple users share directories without over-granting access.

Objective & Context

Permissions are the first access-control layer on every Linux file. This lab covers octal modes, ownership, setuid/setgid/sticky bits, umask defaults, and ACLs for cases the three-class model cannot express, aligning to NIST AC-6 least privilege.

Environment & Prerequisites

  • Linux with coreutils and the acl package.
  • Multiple test users and a shared directory.
  • Root/sudo to change ownership.

Step-by-Step Execution

1. Set explicit octal modes

chmod 750 /srv/app && chown app:web /srv/app

2. Grant a user access via ACL

setfacl -m u:deploy:rx /srv/app && getfacl /srv/app

3. Set a setgid directory for shared group ownership

chmod 2775 /srv/shared
# file: srv/app
user::rwx
user:deploy:r-x
group::r-x

Validation & Testing

As each test user, attempt allowed and disallowed actions and confirm the kernel enforces the expected result. Pass criteria: owner/group/other behave per mode, the ACL grants exactly the named user, and setgid propagates group ownership to new files.

Advanced: Troubleshooting
  • Unexpected access: an ACL may override base bits; inspect with getfacl.
  • New files wrong group: set the setgid bit on the parent directory.
  • Too-open defaults: tighten umask (027) for service accounts.

Key Results

  • Enforced least privilege with explicit octal modes across service dirs.
  • Granted per-user access via ACLs without widening group membership.
  • Standardized shared directories with setgid for consistent ownership.
  • Hardened default creation modes with a stricter umask.