Per-User Access Controls on Linux
I was recently wondering how to give individual users access to some files and directories without dealing with group permissions. Since Linux only allows a single group and user for every file, it was too limited for my usecase. Last time I had this problem, I found a solution:
setfacl (Set File Access Control List). Linux does support extended file permissions, called Access Control Lists, though it's not as visible as group and user permissions. I forgot about it and had to hunt down my Bash history. This time, instead of worrying if my Bash history from a year ago is still available, I'm writing it down.
My use case last time was pretty simple. I wanted to use GitHub Actions to upload files to my server. The safest way to give GitHub access was to create a user and copy the files over using rsync (via SSH), but I didn't want to add this user to a group. Managing groups is a hassle and I'd rather not. All this user needs is write access to a single directory.
So given a user
github and directory
/srv/www/public giving write access is as simple as:
sudo setfacl -R -m u:github:rw /srv/www/public
To make it so all new files under the directory have those permissions (a.k.a defaults):
sudo setfacl -d -R -m u:github:rw /srv/www/public
To check existing access controls:
sudo getfacl /srv/www/public
And that's all there is to it. Simple.
Thanks for reading.