Linux File Permissions, Ownership, and POSIX ACLs
I enforced least-privilege file access using the standard user/group/other model, special bits, and POSIX ACLs for finer control. Explicit, auditable modes and ACLs let multiple users share directories without over-granting access.
Objective & Context
Permissions are the first access-control layer on every Linux file. This lab covers octal modes, ownership, setuid/setgid/sticky bits, umask defaults, and ACLs for cases the three-class model cannot express, aligning to NIST AC-6 least privilege.
Environment & Prerequisites
- Linux with coreutils and the acl package.
- Multiple test users and a shared directory.
- Root/sudo to change ownership.
flowchart LR
A[Access request] --> O{Owner?}
O -->|yes| Ou[owner bits]
O -->|no| G{In group?}
G -->|yes| Gb[group bits]
G -->|no| Ot[other bits]
Ou --> ACL[ACL overrides if set]
Step-by-Step Execution
1. Set explicit octal modes
chmod 750 /srv/app && chown app:web /srv/app2. Grant a user access via ACL
setfacl -m u:deploy:rx /srv/app && getfacl /srv/app3. Set a setgid directory for shared group ownership
chmod 2775 /srv/shared# file: srv/app
user::rwx
user:deploy:r-x
group::r-x
Validation & Testing
As each test user, attempt allowed and disallowed actions and confirm the kernel enforces the expected result. Pass criteria: owner/group/other behave per mode, the ACL grants exactly the named user, and setgid propagates group ownership to new files.
Advanced: Troubleshooting
- Unexpected access: an ACL may override base bits; inspect with getfacl.
- New files wrong group: set the setgid bit on the parent directory.
- Too-open defaults: tighten umask (027) for service accounts.
Key Results
- Enforced least privilege with explicit octal modes across service dirs.
- Granted per-user access via ACLs without widening group membership.
- Standardized shared directories with setgid for consistent ownership.
- Hardened default creation modes with a stricter umask.