Vulnarex | Elite Cybersecurity Learning Platform

#When Basic Permissions Aren't Enough: ACLs Across Platforms#link

POSIX permissions only support one owner, one group, and 'others'. But real-world file servers need Finance to read, HR to modify, and Auditors to have read-only—all on the same directory. Access Control Lists (ACLs) provide that granularity. This lesson equips you to wield Windows icacls and Linux setfacl/getfacl to create layered, auditable file access rules that survive security audits.

Windows ACLs: The Anatomy of a Security Descriptor

Every securable object in Windows has a security descriptor containing a Discretionary ACL (DACL) and System ACL (SACL). The DACL holds Access Control Entries (ACEs) that allow or deny access to users/groups. SACL controls auditing. Using icacls, you can backup, restore, and script complex ACLs. Understanding the order of ACE evaluation (explicit deny, then explicit allow, then inherited) prevents misconfigurations.

Export ACL of a folder to a backup file

root@vulnarex:~#icacls D:\Shared /save AclBackup.txt /t

The /t switch recurses, and the backup file can be restored with icacls /restore. This is invaluable before making bulk permission changes.

powershell

# Use PowerShell to get and set ACLs more programmatically
$acl = Get-Acl -Path "D:\Shared"
$acl.Access | Format-Table IdentityReference, FileSystemRights, AccessControlType

info

💡 Always use 'icacls /verify' after setting permissions to ensure the ACL was applied correctly. It checks consistency of the file system metadata.

Linux ACLs with setfacl and getfacl

Modern Linux filesystems (ext4, xfs) support POSIX ACLs via the acl package. getfacl displays the ACL, including the traditional permission mask and any named user/group entries. setfacl -m adds entries, -x removes them. The mask entry limits the effective permissions of named groups and the owning group. It's the most confusing part: setting a named group rwx, but the mask is r--, the effective permission is r--.

Add ACL entries for multiple groups on a Linux directory

root@vulnarex:~#setfacl -m g:finance:r-x,g:audit:r-- /data/shared && getfacl /data/shared

Here, finance gets r-x, audit gets r--, and the mask restricts the effective permissions. The 'mask' is automatically recalculated to the union of all group permissions, but can be manually set to limit.

Command	Purpose	Example
getfacl	Display ACL	getfacl /etc/secret
setfacl -m	Modify/add entry	setfacl -m u:john:rw /file
setfacl -x	Remove entry	setfacl -x g:tempgroup /file
setfacl -b	Remove all ACLs	setfacl -b /file (reverts to POSIX only)

Default ACLs for Inheritance (Linux)

Setting a 'default' ACL on a directory causes new files and subdirectories to inherit that ACL. This is analogous to Windows inheritance. Without default ACLs, new files get only the standard POSIX permissions. Use setfacl -d to define defaults. This is essential for directories where multiple groups collaborate.

▪Always back up ACLs (icacls /save, getfacl -R) before bulk permission changes.
▪Use ACLs to grant access to multiple groups beyond the owning group.
▪Monitor the ACL mask on Linux—ensure it doesn't unintentionally strip permissions.
▪Set default ACLs on shared directories to enforce consistent permissions on new files.

STRICT SECURE AUDIT RULE

⚠️ On Linux, if you chmod the directory after setting ACLs, you may overwrite the mask, breaking the effective permissions of named groups. Always re-check with getfacl.

quiz BLOCK (★ 50 XP)

You set an ACL to grant 'audit' group rw access, but users in that group still can't write. The mask shows r--. What's the fix?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

ACL Design and Audit