Chapter 17 Securing Files (Tasks)

This chapter describes the procedures for securing files. This is a list of the step-by-step instructions in this chapter.

• "How to Display File Information"

• "How to Change the Owner of a File"

• "How to Change Group Ownership of a File"

• "How to Change Permissions in Absolute Mode"

• "How to Change Special Permissions in Absolute Mode"

• "How to Change Permissions in Symbolic Mode"

• "How to Find Files With setuid Permissions"

• "How to Disable Programs From Using Executable Stacks"

• "How to Set an ACL on a File"

• "How to Copy an ACL"

• "How to Check If a File Has an ACL"

• "How to Modify ACL Entries on a File"

• "How to Delete ACL Entries From a File"

• "How to Display ACL Entries for a File"

File Security Features

This section describes the features that constitute a file's security.

User Classes

For each file, there are three classes of users that specify the levels of security:

• The file or directory owner--usually the user who created the file. The owner of a file can decide who has the right to read it, to write to it (make changes to it), or, if it is a command, to execute it.

• Members of a group.

• All others who are not the file or group owner.

Only the owner of the file or root can assign or modify file permissions.

File Permissions

The table below lists and describes the permissions you can give to each user class for a file.

These file permissions apply to special files such as devices, sockets, and named pipes (FIFOs), as they do to regular files.

For a symbolic link, the permissions that apply are those of the file the link points to.

Directory Permissions

The table below lists and describes the permissions you can give to each user class for a directory.

You can protect the files in a directory (and in its subdirectories) by disallowing access to that directory. Note, however, that superuser has access to all files and directories on the system.

Special File Permissions (setuid, setgid and Sticky Bit)

Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.

You must be extremely careful when setting special permissions, because special permissions constitute a security risk. For example, a user can gain superuser permission by executing a program that sets the user ID to root. Also, all users can set special permissions for files they own, which constitutes another security concern.

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. See "How to Find Files With setuid Permissions" to search for the file systems and print out a list of all programs using these permissions. A suspicious listing would be one that grants ownership of such a program to a user rather than to root or bin.

setuid Permission

When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who is running the executable file. This allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID:

-r-sr-sr-x   3 root     sys       104580 Sep 16 12:02 /usr/bin/passwd

This presents a security risk, because some determined users can find a way to maintain the permissions granted to them by the setuid process even after the process has finished executing.

Using setuid permissions with the reserved UIDs (0-99) from a program might not set the effective UID correctly. Use a shell script instead or avoid using the reserved UIDs with setuid permissions.

setgid Permission

The set-group identification (setgid) permission is similar to setuid, except that the process's effective group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group. The /usr/bin/mail program has setgid permissions:

-r-x--s--x   1 root     mail       63628 Sep 16 12:01 /usr/bin/mail

When setgid permission is applied to a directory, files created in this directory belong to the group to which the directory belongs, not the group to which the creating process belongs. Any user who has write and execute permissions in the directory can create a file there--however, the file belongs to the group owning the directory, not to the user's group ownership.

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. See "How to Find Files With setuid Permissions" to search for the file systems and print out a list of all programs using these permissions. A suspicious listing would be one that grants ownership of such a program to a user rather than to root or bin.

Sticky Bit

The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This prevents a user from deleting other users' files from public directories such as /tmp:

drwxrwxrwt 7  root  sys   400 Sep  3 13:37 tmp

Be sure to set the sticky bit manually when you set up a public directory on a TMPFS file system.

Default umask

When you create a file or directory, it has a default set of permissions. These default permissions are determined by the value of umask(1) in the system file /etc/profile, or in your .cshrc or .login file. By default, the system sets the permissions on a text file to 666, granting read and write permission to user, group, and others, and to 777 on a directory or executable file.

The value assigned by umask is subtracted from the default. This has the effect of denying permissions in the same way that chmod grants them. For example, while the command chmod 022 grants write permission to group and others, umask 022 denies write permission for group and others.

The table below shows some typical umask settings, and the effect on an executable file.

Displaying File Information

This section describes how to display file information.

How to Display File Information

Display information about all the files in a directory by using the ls command.

$ ls -la

Each line in the display has the following information about a file:

• Type of file

  A file can be one of seven types. The table below lists the possible file types.

  Table 17-4 File Types

  Symbol	Type
  -	Text or program
  d	Directory
  b	Block special file
  c	Character special file
  p	Named pipe (FIFO)
  l	Symbolic link
  s	Socket

• Permissions; see Table 17-1 and Table 17-2 for descriptions

• Number of hard links

• Owner of the file

• Group of the file

• Size of the file, in bytes

• Date the file was created or last date it was changed

• Name of the file

Example--Displaying File Information

The following example displays the partial list of the files in the /sbin directory.

$ cd /sbin
$ ls -la
total 13456
drwxr-xr-x   2 root     sys          512 Sep  1 14:11 .
drwxr-xr-x  29 root     root        1024 Sep  1 15:40 ..
-r-xr-xr-x   1 root     bin       218188 Aug 18 15:17 autopush
lrwxrwxrwx   1 root     root          21 Sep  1 14:11 bpgetfile -> ...
-r-xr-xr-x   1 root     bin       505556 Aug 20 13:24 dhcpagent
-r-xr-xr-x   1 root     bin       456064 Aug 20 13:25 dhcpinfo
-r-xr-xr-x   1 root     bin       272360 Aug 18 15:19 fdisk
-r-xr-xr-x   1 root     bin       824728 Aug 20 13:29 hostconfig
-r-xr-xr-x   1 root     bin       603528 Aug 20 13:21 ifconfig
-r-xr-xr-x   1 root     sys       556008 Aug 20 13:21 init
-r-xr-xr-x   2 root     root      274020 Aug 18 15:28 jsh
-r-xr-xr-x   1 root     bin       238736 Aug 21 19:46 mount
-r-xr-xr-x   1 root     sys         7696 Aug 18 15:20 mountall
   .
   .
   .

Changing File Ownership

This section describes how to change the ownership of a file.

How to Change the Owner of a File

1. Become superuser.

   By default, the owner cannot use the chown command to change the owner of a file or directory. However, you can enable the owner to use chown by adding the following line to the system's /etc/system file and rebooting the system.

   set rstchown = 0

   See chown(1) for more details. Also, be aware that there can be other restrictions on changing ownership on NFS-mounted file systems.

2. Change the owner of a file by using the chown command.

   # chown newowner filename

   newowner	Specifies the user name or UID of the new owner of the file or directory.
   filename	Specifies the file or directory.

3. Verify the owner of the file is changed.

   # ls -l filename

Example--Changing the Owner of a File

The following example sets the ownership on myfile to the user rimmer.

# chown rimmer myfile
# ls -l myfile
-rw-r--r--   1 rimmer   scifi   112640 May 24 10:49 myfile

How to Change Group Ownership of a File

1. Become superuser.

   By default, the owner can only use the chgrp command to change the group of a file to a group in which the owner belongs. For example, if the owner of a file only belongs to the staff and sysadm groups, the owner can only change the group of a file to staff or sysadm group.

   However, you can enable the owner to change the group of a file to a group in which the owner doesn't belong by adding the following line to the system's /etc/system file and rebooting the system.

   set rstchown = 0

   See chgrp(1) for more details. Also, be aware that there can be other restrictions on changing groups on NFS-mounted file systems.

2. Change the group owner of a file by using the chgrp command.

   $ chgrp group filename

   group	Specifies the group name or GID of the new group of the file or directory.
   filename	Specifies the file or directory.

   See "Setting Up and Maintaining User Accounts and Groups (Tasks)" in System Administration Guide, Volume 1 for information on setting up groups.

3. Verify the group owner of the file is changed.

   $ ls -l filename

Example--Changing Group Ownership of a File

The following example sets the group ownership on myfile to the group scifi.

$ chgrp scifi myfile
$ ls -l myfile
-rwxrw-- 1 rimmer scifi 12985 Nov 12 16:28 myfile

Changing File Permissions

The chmod command enables you to change the permissions on a file. You must be superuser or the owner of a file or directory to change its permissions.

You can use the chmod command to set permissions in either of two modes:

• Absolute Mode - Use numbers to represent file permissions (the method most commonly used to set permissions). When you change permissions by using the absolute mode, represent permissions for each triplet by an octal mode number.

• Symbolic Mode - Use combinations of letters and symbols to add or remove permissions.

The table below lists the octal values for setting file permissions in absolute mode. You use these numbers in sets of three to set permissions for owner, group, and other (in that order). For example, the value 644 sets read/write permissions for owner, and read-only permissions for group and other.

You can set special permissions on a file in absolute or symbolic modes. In absolute mode, you set special permissions by adding a new octal value to the left of the permission triplet. The table below lists the octal values to set special permissions on a file.

The table below lists the symbols for setting file permissions in symbolic mode. Symbols can specify whose permissions are to be set or changed, the operation to be performed, and the permissions being assigned or changed.

The who operator permission designations in the function column specifies the symbols that change the permissions on the file or directory.

How to Change Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

2. Change permissions in absolute mode by using the chmod command.

   $ chmod nnn filename

   nnn	Specifies the octal values that represent the permissions for the file owner, file group, and others, in that order. See Table 17-5 for the list of valid octal values.
   filename	Specifies the file or directory.

   ---

   Note -

   If you use chmod to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the effective permissions for additional users and groups who have ACL entries on the file. Use the getfacl(1) command to make sure the appropriate permissions are set for all ACL entries.

   ---

3. Verify the permissions of the file have changed.

   $ ls -l filename

Example--Changing Permissions in Absolute Mode

The following example shows changing the permissions of a public directory from 744 (read/write/execute, read-only, and read-only) to 755 (read/write/execute, read/execute, and read/execute).

$ ls -ld public_dir
drwxr--r--  1 ignatz   staff    6023 Aug  5 12:06 public_dir
$ chmod 755 public_dir
$ ls -ld public_dir
drwxr-xr-x  1 ignatz   staff    6023 Aug  5 12:06 public_dir

The following example shows changing the permissions of an executable shell script from read/write to read/write/execute.

$ ls -l my_script
-rw------- 1 ignatz   staff    6023 Aug  5 12:06 my_script
$ chmod 700 my_script
$ ls -l my_script
-rwx------ 1 ignatz   staff    6023 Aug  5 12:06 my_script

How to Change Special Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chmod command to change the special permissions on a file or directory.

2. Change special permissions in absolute mode by using the chmod command.

   $ chmod nnnn filename

   nnnn	Specifies the octal values that change the permissions on the file or directory. The first octal value on the left sets the special permissions on the file. See Table 17-6 for the list of valid octal values for the special permissions.
   filename	Specifies the file or directory.

   ---

   Note -

   If you use chmod to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the effective permissions for additional users and groups who have ACL entries on the file. Use the getfacl(1) command to make sure the appropriate permissions are set for all ACL entries.

   ---

3. Verify the permissions of the file have changed.

   $ ls -l filename

Examples--Setting Special Permissions in Absolute Mode

The following example sets setuid permission on the dbprog file.

$ chmod 4555 dbprog
$ ls -l dbprog
-r-sr-xr-x   1 db     staff        12095 May  6 09:29 dbprog

The following example sets setgid permission on the dbprog2 file.

$ chmod 2551 dbprog2
$ ls -l dbprog2
-r-xr-s--x   1 db     staff       24576 May  6 09:30 dbprog2

The following example sets sticky bit permission on the pubdir directory.

$ chmod 1777 pubdir

How to Change Permissions in Symbolic Mode

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

2. Change permissions in symbolic mode by using the chmod command.

   $ chmod who operator permission filename

   who operator permission	who specifies whose permissions are changed, operator specifies the operation to perform, and permission specifies what permissions are changed. See Table 17-7 for the list of valid symbols.
   filename	Specifies the file or directory.

3. Verify the permissions of the file have changed.

   $ ls -l filename

Examples--Changing Permissions in Symbolic Mode

The following example takes away read permission from others.

$ chmod o-r filea

The following example adds read and execute permissions for user, group, and others.

$ chmod a+rx fileb

The following example assigns read, write, and execute permissions to group.

$ chmod g=rwx filec

Searching for Special Permissions

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. A suspicious listing would be one that grants ownership of such a program to a user rather than to root or bin.

How to Find Files With setuid Permissions

1. Become superuser.

2. Find files with setuid permissions set by using the find command.

   # find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename

   find directory	Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.
   -user root	Displays files only owned by root.
   -perm -4000	Displays files only with permissions set to 4000.
   -exec ls -ldb	Displays the output of the find command in ls -ldb format.
   >/tmp/filename	Writes results to this file.

3. Display the results in /tmp/filename.

   If you need background information about setuid permissions, see "setuid Permission".

Example--Finding Files With setuid Permissions

# find / -user root -perm -4000 -exec ls -ldb {} \; > /tmp/ckprm
# cat /tmp/ckprm
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
	#

An unauthorized user (rar) has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user. If you want to save this output for future reference, move the file out of the /tmp directory.

Executable Stacks and Security

A number of security bugs are related to default executable stacks when their permissions are set to read, write and execute. While stacks with execute permissions set are mandated by the SPARC ABI and Intel ABI, most programs can function correctly without using executable stacks.

The noexec_user_stack variable (available starting in the Solaris 2.6 release) enables you to specify whether stack mappings are executable or not. By default, the variable is zero, which provides ABI-compliant behavior. If the variable is set to non-zero, the system will mark the stack of every process in the system as readable and writable, but not executable.

Once this variable is set, programs that attempt to execute code on their stack will be sent a SIGSEGV signal, which usually results in the program terminating with a core dump. Such programs also generate a warning message that includes the name of the offending program, the process ID, and real UID of the user who ran the program. For example:

a.out[347] attempt to execute code on stack by uid 555 

The message is logged by the syslogd(1M) daemon when the syslog kern facility is set to notice level. This logging is set by default in the syslog.conf(4) file, which means the message is sent to both the console and to the /var/adm/messages file.

This message is useful both for observing potential security problems, as well as to identify valid programs that depend upon executable stacks which have been prevented from correct operation by setting this variable. If the administrator does not want any messages logged, then the noexec_user_stack_log variable can be set to zero to disable it in the /etc/system file, though the SIGSEGV signal can continue to cause the executing program to core dump.

You can use mprotect(2) if you want programs to explicitly mark their stack as executable.

Because of hardware limitations, the capability of catching and reporting executable stack problems is only available on sun4m, sun4d and sun4u platforms.

How to Disable Programs From Using Executable Stacks

1. Become superuser.

2. Edit the /etc/system file and add the following line.

   set noexec_user_stack=1

3. Reboot the system.

   # init 6

How to Disable Executable Stack Message Logging

1. Become superuser.

2. Edit the /etc/system file and add the following line.

   set noexec_user_stack_log=0

3. Reboot the system.

   # init 6

Using Access Control Lists (ACLs)

Traditional UNIX file protection provides read, write, and execute permissions for the three user classes: file owner, file group, and other. An ACL provides better file security by enabling you to define file permissions for the file owner, file group, other, specific users and groups, and default permissions for each of those categories.

For example, if you wanted everyone in a group to be able to read a file, you would simply give group read permissions on that file. Now, assume you wanted only one person in the group to be able to write to that file. Standard UNIX doesn't provide that level of file security. However, this dilemma is perfect for ACLs.

ACL entries are the way to define an ACL on a file, and they are set through the setfacl(1) command. ACL entries consist of the following fields separated by colons:

entry_type:[uid|gid]:perms

The following example shows an ACL entry that sets read/write permissions for the user nathan.

user:nathan:rw-

UFS file system attributes such as ACLs are supported in UFS file systems only. This means that if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.

ACL Entries for Files

The table below lists the valid ACL entries. The first three ACL entries provide the basic UNIX file protection.

ACL Entries for Directories

In addition to the ACL entries described in Table 17-8, you can set default ACL entries on a directory. Files or directories created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. The table below lists the default ACL entries for directories.

When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the file owner, file group, others, and the ACL mask (these are required and are the first four default ACL entries in the table below).

How to Set an ACL on a File

1. Set an ACL on a file by using the setfacl command.

   $ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list filename ...

   -s	Sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the file owner, file group, and other entries.
   user::perms	Specifies the file owner permissions.
   group::perms	Specifies the file group permissions.
   other:perms	Specifies the permissions for users other than the file owner or members of the file group.
   mask:perms	Specifies the permissions for the ACL mask. The mask indicates the maximum permissions allowed for users (other than the owner) and for groups.
   acl_entry_list	Specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 17-8 and Table 17-9 show the valid ACL entries.
   filename	Specifies one or more files or directories on which to set the ACL.

2. To verify that an ACL was set on the file, see "How to Check If a File Has an ACL". To verify which ACL entries were set on the file, use the getfacl command.

   $ getfacl filename

If an ACL already exists on the file, the -s option will replace the entire ACL with the new ACL.

Examples--Setting an ACL on a File

The following example sets the file owner permissions to read/write, file group permissions to read only, and other permissions to none on the ch1.doc file. In addition, the user george is given read/write permissions on the file, and the ACL mask permissions are set to read/write, which means no user or group can have execute permissions.

$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:george:rw- ch1.doc
$ ls -l
total 124
-rw-r-----+  1 nathan  sysadmin   34816 Nov 11 14:16 ch1.doc
-rw-r--r--   1 nathan  sysadmin   20167 Nov 11 14:16 ch2.doc
-rw-r--r--   1 nathan  sysadmin    8192 Nov 11 14:16 notes
$ getfacl ch1.doc
# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:rw-    #effective:rw-
group::r--         #effective:r--
mask:rw-
other:---

The following example sets the file owner permissions to read/write/execute, file group permissions to read only, other permissions to none, and the ACL mask permissions to read on the ch2.doc file. In addition, the user george is given read/write permissions; however, due to the ACL mask, the effective permissions for george are read only.

$ setfacl -s u::7,g::4,o:0,m:4,u:george:7 ch2.doc
$ getfacl ch2.doc
# file: ch2.doc
# owner: nathan
# group: sysadmin
user::rwx
user:george:rwx         #effective:r--
group::r--              #effective:r--
mask:r--
other:---

How to Copy an ACL

Copy a file's ACL to another file by redirecting the getfacl output.

$ getfacl filename1 | setfacl -f - filename2

Example--Copying an ACL

The following example copies the ACL on ch2.doc to ch3.doc.

$ getfacl ch2.doc | setfacl -f - ch3.doc

How to Check If a File Has an ACL

Check if a file has an ACL by using the ls command.

$ ls -l filename

A plus sign (+) to the right of the mode field indicates the file has an ACL.

Unless you have added ACL entries for additional users or groups on a file, a file is considered to be a "trivial" ACL and the + will not display.

Example--Checking If a File Has an ACL

The following example shows that ch1.doc has an ACL, because the listing has. a `+' to the right of the mode field.

$ ls -l ch1.doc
-rwxr-----+  1 nathan   sysadmin      167 Nov 11 11:13 ch1.doc

How to Modify ACL Entries on a File

1. Modify ACL entries on a file by using the setfacl command.

   $ setfacl -m acl_entry_list filename1 [filename2 ...]

   -m	Modifies the existing ACL entry.
   acl_entry_list	Specifies the list of one or more ACL entries to modify on the file or directory. You can also modify default ACL entries on a directory. Table 17-8 and Table 17-9 show the valid ACL entries.
   filename ...	Specifies one or more files or directories.

2. To verify that the ACL entries were modified on the file, use the getfacl command.

   $ getfacl filename

Examples--Modifying ACL Entries on a File

The following example modifies the permissions for the user george to read/write.

$ setfacl -m user:george:6 ch3.doc
$ getfacl ch3.doc
# file: ch3.doc
# owner: nathan
# group: staff
user::rw-				
user::george:rw-				#effective:r--
group::r-	              #effective:r--
mask:r--
other:r-

The following example modifies the default permissions for the group staff to read and the default ACL mask permissions to read/write on the book directory.

$ setfacl -m default:group:staff:4,default:mask:6 book

How to Delete ACL Entries From a File

1. Delete ACL entries from a file by using the setfacl command.

   $ setfacl -d acl_entry_list filename1 ...

   -d	Deletes the specified ACL entries.
   acl_entry_list	Specifies the list of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 17-8 and Table 17-9 show the valid ACL entries.
   filename ...	Specifies one or more files or directories.

   Alternately, you can use the setfacl -s command to delete all the ACL entries on a file and replace them with the new ACL entries specified.

2. To verify that the ACL entries were deleted from the file, use the getfacl command.

   $ getfacl filename

Example--Deleting ACL Entries on a File

The following example deletes the user george from the ch4.doc file.

$ setfacl -d user:george ch4.doc

How to Display ACL Entries for a File

Display ACL entries for a file by using the getfacl command.

$ getfacl [-a | -d] filename1 ...

If you specify multiple file names on the command line, the ACL entries are separated by a blank line.

Examples--Displaying ACL Entries for a File

The following example shows all the ACL entries for the ch1.doc file. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.

$ getfacl ch1.doc
# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:r--         #effective:r--
group::rw-              #effective:rw-
mask:rw-
other:---

The following example shows the default ACL entries for the book directory.

$ getfacl -d book# file: book
# owner: nathan
# group: sysadmin
user::rwx
user:george:r-x         #effective:r-x
group::rwx              #effective:rwx
mask:rwx
other:---
default:user::rw-
default:user:george:r--
default:group::rw-
default:mask:rw-
default:other:---