Question

The two standard ACL commands are getfacl and setfacl.

1. What is the difference between them?

2. How can setfacl help achieve security hardening?

Answer 1

ACL comes into picture with more flexibility to give permissions to users or groups for particular file or directories. If a user is not a part of group but still wanted an access to the files which group is having, then without adding it to group permissions could be given.

There are two ACL commands getfacl and setfacl.

1)

getfacl : is uset to get files access control list describing the users or groups what all permissions one have

setfacl : is used to set the file access control list describing whom to give and what all permissions to be given.

2) setfacl can help to achieve security hardening because ACL has more granular permission structure. Tight permission is applied through ACL when a file acces is given to a particular user.

Like,

setfacl -m u:mohit:r test1

giving read permission for test1 folder inspite of owner and group people have more permission which will not effect their work. If ACL is applied to a fle the ls command shows permissions with + sign infromt of the permissions of that file overlooking the use of additional permissions to a user. Even setfacl can be used to remove permissions.