First of all, here’s an excellent document explaining all about Access Control Lists (ACLs) in Linux. What follows here is a simple example of how you can put them to use.
I do PHP development on one of my Linux laptops. I go with the standard apache + mod_php setup and all works pretty well. But here’s the thing – I don’t want to have to copy over a file I’ve worked on, say from somewhere in my home directory to the docroot of the vhost where it actually needs to be deployed. That’s a pretty easily avoidable extra step.
The problem is with managing permissions. Typically, all files under the docroot should be owned by the apache (or equivalent) user. No other user should have write access to this folder. But then I don’t want to have to sudo copy a file, then change ownership back to apache every time. It is prone to oversights and can lead to weird side effects if not done diligently. This is where ACLs come to the rescue. The rationale is as follows:
- On my personal dev machine, I am ok with allowing one user (the one I log in and work with) to have write access to the apache-owned folders, so as to ease development by directly editing/creating files in place. This user need not share any groups with apache. ACLs allow for precisely this kind of fine-grained access rules to be defined. (For the hawk-eyes among you, there is a way to retain ownership of new files with apache’s primary group, even if they were created by a different user. See here.)
- The standard Linux permissions need not be opened up to all and sundry.
- The server runs without any problems, since it owns all the files in docroot.
- The developer is spared a few cumbersome maintenance steps.
- System security is not unnecessarily compromised.
- Even SELinux (if enabled) doesn’t crib.
So here’s what I do – assuming your apache webroot is at /var/www/html (there could be, and usually are multiple docroots in here), a user named aditya needs to be given write access (recursively). That is done by running:
$ sudo setfacl -R -m u:aditya:rwx /var/www/html/
And that’s pretty much it! If you’ve setup your setgid bits by following the link above (in point #1), and the standard rwx ownership is still with apache, you’re all set!