$ setfacl -m <type>:<name>:<permission> <file|directory name>
So for example if wishing to grant Bob read, write, execute permissions on directory dir you would issue the following:
$ setfacl -m u:bob:rwx dir
To check Bob’s permissions you can use getfacl with the omit-headers flag which hides the first three lines showing the name, owner and group:
$ getfacl --omit-header dir
user::rwx
user:bob:rwx
group::r-x
mask::rwx
other::---
group writable web folders with setgid and ACL
Often times, there is need for web-accessible folders to be set up so all web-developers have write access.
Along with setgid option, ACL can be used so anyone in the group "web-developers"
would have write privileges to anything under web-accessible document root.
So unless the acl privileges is revoked specifically, it would just continue to work.
To enable ACL, add "acl" option to /etc/fstab file for the corresponding partition and remount.
Edit /etc/fstab:
/dev/mapper/home /home ext4 defaults,acl 0 2
Remount:
# mount -o remount /home
Here is the commands to be used for the setup:
# groupadd developers
# chgrp -R developers /path/to/docroot
# find /path/to/docroot -type d -exec chmod g+s {} \;
# find /path/to/docroot -type d -exec setfacl -m g:developers:rwx,d:g:developers:rwx {} \;
# find /path/to/docroot -type f -exec setfacl -m g:developers:rw {} \;
Now anyone needing write access can be put in the "developers" group.
# usermod -G developers {username}
If you need the webserver to have write access to certain folders, then chown the location to be owned by the webserver, instead of giving write permissions to all.
