Linux Access Control Lists (ACL) and SE Linux: Advanced File Permission Management

Linux Access Control Lists (ACL) and SE Linux: Advanced File Permission Management

byMahesh Gupta Published on
0
Imagine your Linux system as a high-security office building. File permissions are like the key cards that determine who can enter which rooms, while SELinux is the security guard who doesn’t just check your ID — they verify your entire life story before letting you near the coffee machine.

Most admins treat file permissions like a suggestion rather than a law. Then they wonder why their “secure” server got compromised faster than a celebrity’s Instagram account. Here’s the brutal truth: proper file permissions and SELinux aren’t optional — they’re your last line of defense against digital chaos.

Why Should You Care?

  • Prevent Data Breaches: Because explaining a breach to your boss isn’t fun
  • Compliance Peace of Mind: Auditors love properly configured systems
  • Performance Boost: SELinux blocks malicious processes before they waste resources
  • Professional Reputation: Being known as the admin who never gets pwned

File Ownership: Who Owns What

The chown Command: Passing the Torch

sudo chown john:developers /project/website/
sudo chown -R alice:marketing /marketing_materials/

Think of chown as reassigning office desks – you're deciding who gets the key and who their work group is.

The chgrp Command: Team Changes Only

sudo chgrp developers /shared/code/
sudo chgrp -R finance /quarterly_reports/

When you only need to change the team assignment without changing the individual owner — it’s like switching someone’s department without changing their desk.

File Permissions: The Digital Door Locks

The Symbolic Way (Human Readable)

chmod u+x script.sh          # Give owner execute permission
chmod g-w document.txt       # Remove group write permission
chmod o= sensitive_file.txt   # Remove all permissions for others
chmod a+r public_notice.txt  # Give everyone read permission

The Octal Way (Numbers Game)

chmod 755 executable_script  # rwxr-xr-x
chmod 644 regular_file       # rw-r--r--
chmod 600 private_key        # rw-------

Quick Octal Reference:

  • 4 = Read (r)
  • 2 = Write (w)
  • 1 = Execute (x)
  • Add them up: 7=rwx, 6=rw-, 5=r-x, 4=r — 

Special Permissions: The Power-User Tools

Setuid: Temporary Superpowers

sudo chmod u+s /usr/bin/passwd

This lets regular users run passwd with root privileges to change their own passwords. It’s like giving someone a temporary admin badge for one specific task.

Sticky Bit: The “No Delete” Shield

sudo chmod +t /shared/temp/

Perfect for shared directories where everyone can create files but can only delete their own. Like a communal fridge — you can add food but can’t throw away someone else’s lunch.

Default Permissions: The umask Mystery

umask 022    # Standard restrictive setting
umask 002    # Group-friendly setting
umask 077    # Paranoid security setting

Your umask is like setting default privacy settings on social media — it determines who can see your stuff by default.

How it works:

  • New files start with 666 permissions
  • New directories start with 777 permissions
  • umask subtracts from these defaults
  • umask 022: Files get 644, directories get 755

Access Control Lists: Precision Security

Viewing ACLs

getfacl important_file.txt
getfacl -R project_directory/

Setting Detailed Permissions

setfacl -m u:john:rw important_file.txt      # Give John read-write
setfacl -m g:developers:rx script.sh         # Give developers group read-execute
setfacl -x u:troublemaker important_file.txt # Remove troublemaker's access

ACLs are like having a VIP list at a club — you can give specific people specific privileges beyond the basic “members only” rule.

SELinux: The Paranoid Security Guard

Checking SELinux Status

getenforce           # Shows current mode
sestatus            # Detailed status information

The Three States of SELinux

Disabled — SELinux is off (not recommended for production)

# In /etc/selinux/config
SELINUX=disabled

Permissive — Logs violations but doesn’t block them (debugging mode)

sudo setenforce 0

Enforcing — Blocks violations and logs them (production mode)

sudo setenforce 1

SELinux File Contexts

ls -Z /var/www/html/         # View SELinux contexts
sudo restorecon -R /var/www/html/  # Restore default contexts
sudo chcon -t httpd_exec_t script.cgi  # Manually set context

Troubleshooting SELinux Issues

sudo sealert -a /var/log/audit/audit.log  # Analyze denials
sudo audit2allow -a                       # Generate policy suggestions

When SELinux blocks something, don’t just disable it — understand why and fix the root cause.

SSH Hardening: Locking the Front Door

Key-Based Authentication Setup

# Generate key pair
ssh-keygen -t rsa -b 4096

# Copy public key to server
ssh-copy-id user@server

# In /etc/ssh/sshd_config:
PasswordAuthentication no

PubkeyAuthentication yes# Copy public key to server
ssh-copy-id user@server

Restricting Root Access

# In /etc/ssh/sshd_config:
PermitRootLogin no          # Completely disable root SSH
PermitRootLogin prohibit-password  # Only allow key-based root login

User and Group Restrictions

# In /etc/ssh/sshd_config:
AllowUsers alice bob charlie
AllowGroups developers admins

TLDR Cheat Sheet 🚀

Essential File Commands:

chmod 755 file                # Standard executable permissions
sudo chown user:group file    # Change ownership
getfacl file                  # View detailed permissions
setfacl -m u:user:rw file    # Grant specific user access

SELinux Essentials:

getenforce                    # Check SELinux mode
ls -Z file                    # View SELinux context
sudo restorecon -R /path     # Fix contexts
sudo sealert -a /var/log/audit/audit.log  # Analyze issues

SSH Security:

ssh-keygen -t rsa -b 4096    # Generate strong key pair
ssh-copy-id user@server      # Install public key
sudo systemctl restart sshd  # Apply config changes
Tags:

Post a Comment

Previous Post Next Post