Jahed Ahmed

Per-User Access Controls on Linux

I was recently wondering how to give individual users access to some files and directories without dealing with group permissions. Since Linux only allows a single group and user for every file, it was too limited for my usecase. Last time I had this problem, I found a solution: setfacl (Set File Access Control List). Linux does support extended file permissions, called Access Control Lists, though it's not as visible as group and user permissions. I forgot about it and had to hunt down my Bash history. This time, instead of worrying if my Bash history from a year ago is still available, I'm writing it down.

My use case last time was pretty simple. I wanted to use GitHub Actions to upload files to my server. The safest way to give GitHub access was to create a user and copy the files over using rsync (via SSH), but I didn't want to add this user to a group. Managing groups is a hassle and I'd rather not. All this user needs is write access to a single directory.

So given a user github and directory /srv/www giving write access is as simple as:

sudo setfacl -R -m u:github:rw /srv/www

To make it so all new files under the directory have those permissions (a.k.a defaults):

sudo setfacl -d -R -m u:github:rw /srv/www

To check existing access controls:

sudo getfacl /srv/www

And that's all there is to it. Simple.

Thanks for reading.